Posted by Leif K-Brooks on 07/07/89 11:17

Toby Inkster wrote:
> http://examples.tobyinkster.co.uk/frames/frameset.php

You should probably check that $_GET['page'] is a valid page before
trying to include it. Right now, if you go to
http://examples.tobyinkster.co.uk/frames/frameset.php?page=nonexistant,
it will try to open a file called pages/nonexistant.page and display a
PHP error message when it file can't be found.

I don't think there's much of a security vulnerability (you can't see
the database password by viewing ../../include.php, for instance, since
it appends .page to the filename), but it's always better to be safe
than sorry.

[Back to original message]