Hello.
I am running Apache 1.3.33 and PHP4 on Debian Sid 2.6.9. My page uses PHP to determine what page to view in the following fashion:
PHP Code:
if (isset($_GET['main'])) {
$maindisplay = basename($_GET['main']) . ".txt";
$main = $_GET['main'];
}
else {
$maindisplay = "main.txt";
$main = main;
}
if (!file_exists ($maindisplay)) {
$maindisplay = "404.txt";
}
...and displays the selected page like this:
PHP Code:
<div id="main">
<?php include($maindisplay); ?>
</div>
The problem is that anyone can view the raw text files instead of the ones produced by PHP by entering, for example, url.to.my.page/news.txt instead of url.to.my.page?main=news. This can be a Very Bad Thing if I have a script that I want to protect, or something like that.
How do i counter this? I will switch to using a MySQL database soon enough, but right now that isn't an option.
Thank you.