here is my code for blog.php

PHP Code:

<?php 
$filename = $_REQUEST['blog'];

print "<?php include(' http://mysite.com/blog/ " . $filename . " .txt '); ?>";
?>

the url in the address bar is http://mysite.com/beta/blog.php?blog=1

can someone tell me whats wrong in the code.

anyone

Quote:

Originally Posted by simster

here is my code for blog.php

PHP Code:

<?php 
$filename = $_REQUEST['blog'];

print "<?php include(' http://mysite.com/blog/ " . $filename . " .txt '); ?>";
?>

the url in the address bar is http://mysite.com/beta/blog.php?blog=1

can someone tell me whats wrong in the code.

Why are you printing it? Try this instead:

PHP Code:

<?php 
$filename = 'http://mysite.com/blog/'.$_REQUEST['blog'].'.txt';
include($filename);
?>

Great tip VM! I was going to post something similar.

thank you

simster, this is quite possibly one of the least secure things I've ever encountered. You want your users to be able to include whatever text file from your server that they want to?

You need to do some type of authentication against allowed values in a database or pre-written array or something. I can't stress enough that this method is dangerous. Plus, posting here that you can arbitrarily include files from your server is not helping your cause.

only from that folder (nothing else is in there)

simster - Think about relative paths. What if you went to the following? What would the URL point at?

Code:

http://mysite.com/beta/blog.php?blog=../somesupersecrettextfile

its only a personal web site and that wont work with VMs code