|
k,
how do you include the pages?
like home, members etc.
u check the $_GET['id'] variable right?
well that variable comes from the URL. and anybody can modify it.
if they modify it in right wrong way it's potentially a security risk because they can access and cause things you didnt mean for them to.
so you have to validate that variable, perform different checks so you're sure that no matter what the user enters for index.php?id=<insert stuff here>
it wont cause anything you didnt expect.
right now there's a bunch of things that can happen that you didnt expect.
for example
index.php?id=../yourfile
will include a file that is located in the parent folder of the folder where index.php is located.
where if index.php is in public_html then your file will be in /home/a135s9/8x2
only things in public_html can be accessed by connecting to the webserver.
but with your set up they can access any file that ends with .php anywhere
so that's a potential security risk =D
i am not good in explaining things and i am not an expert. but still try to fix that.
gl
|