Then you can have SQL injection attacks, too! :) I don't know enough about PHP, but I would double check that doing something like \/ (escaped forward-slash) doesn't get around that code. It doesn't look like it would though. > -----Original Message----- > From: tclug-list-bounces at mn-linux.org > [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Matt Murphy > Sent: Friday, March 05, 2004 10:22 AM > To: 'TCLUG Mailing List' > Subject: RE: [TCLUG] Attack > > > > Can you build a dictionary list corresponding to the > > filenames so that the visible URL that people see is > > something like > > "http://domain.tld/location/FISH4310PREL2Q0OU"> , or submit the > > form variable as the hash. Then find the > > file based on the hash...? > > Ack, now I see what you were doing... Store your files > in a database!!! > > Matt _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list