Quote:
Originally Posted by StuartD
How are php includes a security risk?
If that was the case, every site out there that uses php would be hacked right now.
|
Exactly, I actually had a couple of worried people message me this thread. If you include a remote file on another server, you get the contents of the output buffer from the other server, not the code itself.
Meaning, if you do <? echo file_get_contents('/etc/passwd'); ?> (assuming the other server even has the openbasedir restrictions set wrong enough to allow for that...) you would get the other servers stuff, not your own.