hi i've received a weird email today warning me that the way i place my pages. i.e. http://regretless.com/new/index.php?page=layoutarchives.inc can cause possible hacking because you can view my code here http://regretless.com/new/layoutarchives.inc
his arguement is if someone knows my path to my passwd, you can do http://regretless.com/new/index.php?page=../../blah/passwd
i don't even think my passwd is on my ftp account. (already asked my hosting company abuot this)
but either way how can he find out my path to my passwd if it's on the account?
and how are passwords stored anyway?
I'm new to this and need some advice. Thanks!
dude, kill that index.php NOW! delete it. move it someplace else, rename it, just get rid of it.
worry about a replacement later.
NEVER use data that can be supplied by a user in a require() or a include(). its a bad, bad, thing.
don't use .inc files. make sure all php files end in .php , this will prevent users from viewing the source code. passwords are commonly in source code.
if a user can supply a path to a inlude() then many files on the remote server can be viewed. with proper file permissions the effect can be minimized, but this is still a security concern. while you may not have passwords in your scripts, other users may.
