Posted by SA SA on 01/15/07 20:24

I will give it a try. Basically, we have a link for each sport that
passes the variable to sports.php based on the sport the sports.php
displays news releases.

suresh

http://www.domain.org/sports.php?sport=m_football
http://www.domain.org/sports.php?sport=m_softball
http://www.domain.org/sports.php?sport=m_soccr









P Pulkkinen wrote:
> > I do not know anything about PHP but thrown into this mix. I was told
> > by my ISP that there is vulnerability in following code to allow
> > spammer load an offsite php script for mailing. The defective code is:
>
> > if (isset($HTTP_GET_VARS['sport']))
> > {
> > $sport = $HTTP_GET_VARS['sport'];
> > require ($sport.".php");
> > }
>
> $allowable_sports= array("football", "rugby", "tennis");
>
> if (isset($HTTP_GET_VARS['sport']) && in_array($HTTP_GET_VARS['sport'],
> $allowable_sports) )
> { require ($sport.".php"); }
> else
> { require ("no_sport_just_sofa.php"); }

• Next in forum: Re: Getting started - not quite working
• Prev in forum: Re: PHP version verses timezonedb version verses Olsen timezone database version
• Thread view: Re: PHP script help

[Reply to this message]