Posted by Toby Inkster on 01/12/07 18:11

Rik wrote:

> It never even occured to me to include files I did not write myself :P
> Validating a file is very difficult, you'll have to check it by hand.

Don't validate the file itself -- validate the filename! For example,
check that the filename doesn't include any slashes, backslashes or colons
and you should be sorted.

$file=$_GET['fileName'];
if (preg_match('/[\/\\\:]/', $file))
die("Dirty, rotten scoundrel!");
echo "Requested File is: ".$file;
include($file);

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]