Remote / Local File Inclusion
As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course it takes a second person to have it. Now this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. I’ll give code examples in PHP format. Let’s look at some of the code that makes RFI / LFI exploits possible. <a href=index.php?page=file1.php> Files </a> <? Php $ page = $ _GET [page]; include ($ page); ?> Now obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something like this will appear. http: //localhost/index.php? page = files.php Now if no one has cleared the input in the $ page variable, we can have it pointed ...