mikebrum Posted March 24, 2009 Share Posted March 24, 2009 I've been told (by our hosting) that there might be a security issue with this code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" ><?php include_once('includes/header.php'); ?><body><div id="wrapper"> <?php include_once('includes/navigation.php'); ?> <a id="top"></a> <div id="header"> <?php include_once('includes/headerLeft.php'); ?> <div id="headerRight"> <?php $pg = $_GET['pg']; if ($pg == '') { $pg = 'home'; } ?> <img src="images/<?php echo $pg; ?>.jpg" alt="" /> </div> </div> <div id="content"> <?php include_once($pg . '.php'); ?> </div> <?php include_once('includes/footer.php'); ?></div></body></html> We've been told that e-mails were sent (through this code) on our behalf.Any help would be appreciated and thank you in advance for your help!Mike Link to comment Share on other sites More sharing options...
Synook Posted March 24, 2009 Share Posted March 24, 2009 Well, you are basically allowing the user to include any PHP file they want through this line: <?php include_once($pg . '.php'); ?> You could negate that by filtering the input (e.g. only allowing certain values or removing forward slashes). Link to comment Share on other sites More sharing options...
justsomeguy Posted March 24, 2009 Share Posted March 24, 2009 That script doesn't do any mailing though, do you have an include file that actually does the mailing? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.