I was using this piece of php code for a site. Now its old and I recently had a few attacks. Script was used for to include another file from someplace else and send spam. Obviously this makes my script as spam sender. for the content $htm = ".htm"; $pid = "$details$htm"; function show_details($pid) { if (!preg_match("/http/", $pid)) { require($pid); } else { die; } } PHP: and for the title, desc , keywords etc.. $txt = ".txt"; $title = "$details$txt"; function show_title($title) { if (!preg_match("/http/", $title)) { if (file_exists($title)) { require($title); } else { die; } } } PHP: and a display.php file with print ' <!-- CONTENT --> '; show_details("$pid"); print ' PHP: by this code ı was able to call any content by "/display.php?details=mycontentpage" mycontentpage.htm mycontentpage.txt ............. Now this code has to be re-coded .. I can not change the construction as the site is just too big. So I guess I just have to stick to this.. Can anyone help ? Any comments ?
if ( !preg_match('/[^A-Za-z0-9]/', $string ) ) { // safe file name } else { die('BAD FILE NAME'); } PHP: if you want to you - and _ chars , you must use this if ( !preg_match('/[^A-Za-z0-9-_]/', $title ) ) { // safe file name } else { die('BAD FILE NAME'); } PHP:
:S it does not work.. I would prefer something with domain name or a host solution. Any suggestions ?