Ask! Bugs from file_get_contents()

[nicx]

Mr.I was create a source view html with file_get_contents() function.But that have a bug,so someone can know my cpanel username and password. Where he can know that? What method he use? My code

<form action="" method="post"><input type="text" name="url" /><input type="submit" value="submit" /></form><?php$file = @file_get_contents($_POST["url"]);echo nl2br(htmlspecialchars($file));?>

[DeanWhitehouse]

Wow that made no sense at all

[premiso]

Your not filtering the post input. If a person knows your host structure they can basically read any file on your server with that script.

 

I would suggest validating the url input to avoid this issue.

[nicx]

What method to use my structure data? Or how to show my data? Give me an example,what he inputed to that form?

[premiso]

if he did say index.php it would print out that full file, all the code. As long as you have an index.php.  Give it a try.

[cwarn23]

I found that the easiest way to prevent the user from viewing your source code and just seeing html is by making them put in the full url (including http:// or https://) So the following should work and has a validator.

<form action="" method="post">You must place the full url starting with http:// or https://<br />
<input type="text" name="url" value="http://<? echo $_SERVER['SERVER_NAME']; ?>"/>
<input type="submit" value="submit" /></form>
<?php
if (isset($_POST["url"]) && substr($_POST["url"],0,4)==='http')
    {
    $file = @file_get_contents($_POST["url"]);
    echo nl2br(htmlspecialchars($file));
    } else if (isset($_POST["url"])) {
echo "You must have the full url starting with http:// or https://";
}
?>

[nicx]

Thanks bro,i understand now