Lets say we have php script named
get-image.php:
$file = $_GET['image-filename'];
// here would be some code to make sure file is really image, ...
// here we would output image to the browser
header("Content: image/jpeg");
include($file);
die();
include statement will try to parse $file as php. Even if $file is a legal image, it may have some comments inside.
What if comment is <?php rm(__FILE__); ?>
it would delete
get-image.php from your server.
Conclusion:
- use
include and
require statement for including php scripts only
- use
readfile,
file_get_contents, etc. for including images, texts, and other non-php stuff
