Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 9 of 9

Thread: Php includes

  1. #1
    Junior Member
    Join Date
    Jul 2005
    Posts
    2
    Member #
    10676
    I want to know what to put in my href= for a php includes so I can link directly to it. I'm not using php includes the traditional way ie... menu, header, footer. Instead I just include my main content in the right side of the page. If any one can help me that would be great.

  2.  

  3. #2
    Senior Member Eddy Bones's Avatar
    Join Date
    Jan 2004
    Location
    Washington, USA
    Posts
    1,054
    Member #
    4651
    You can't link to an include that way; it's not like a frame.

  4. #3
    Junior Member
    Join Date
    Jul 2005
    Posts
    2
    Member #
    10676
    I have done it before. I just forgot how to do it and can't get to the source code.

  5. #4
    Senior Member Eddy Bones's Avatar
    Join Date
    Jan 2004
    Location
    Washington, USA
    Posts
    1,054
    Member #
    4651
    It isn't as simple as just a text link is what I'm saying.

    Here's one way of doing it. It may not be the way you remember, but there are multiple ways of doing it I assume.

    On the top of the page you would need something like this:
    Code:
    if(!$_GET['id']) {
      $page = "main";
      } else {
        $page = $_GET['id']
        }
    For the navigation you would then have something like this:
    Code:
    <a href="index.php?id=variable">Link</a>
    "Variable" will be the relative url of the page you want to put in the include.

    The include would be like this:
    Code:
    include($page."inc");
    Hope that helps a bit. If you need me to clarify anything let me know.

  6. #5
    Junior Member phleet's Avatar
    Join Date
    Jul 2005
    Location
    Ottawa, Ontario, Canada
    Posts
    23
    Member #
    10674
    im not ENTIRELY sure, but I think there are ways to inject that.

    Theres a thing call a poison null byte injection. If you can inject, you might be able to read files you aren't supposed to by going something like..

    index.php?id=../../../../../../etc/passwd%0

    The %0 ensures that everything past it does absolutely nothing, as the %0 wont be read properly when executing certain commands.

    I'm not entire sure, but it would probably be safer to use a switch, so it would only include certain pages.
    Phleetside v2: More content, less ugly
    Go to it

  7. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    444
    Member #
    2801
    This is very insecure! You have to clean up the variable before you use it.

    The simplest way is to remove all funny characters (so if you page ID is only numbers and letters, then that's the only thing that should be left) and then do a switch or a series of if/elseif/else.

    Make sure you have a default case too.
    eKstreme
    eKstreme.com - Free website tools!
    fontfox - free fonts Hand-picked quality fonts.

  8. #7
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Quote Originally Posted by phleet
    index.php?id=../../../../../../etc/passwd%0

    The %0 ensures that everything past it does absolutely nothing, as the %0 wont be read properly when executing certain commands..
    Looks to me like that's the kind of exploit that would only work on a misconfigured server... There's no reason for PHP to be including anything outside of the server root, and I'm pretty sure there's a way of restricting that.

  9. #8
    Junior Member phleet's Avatar
    Join Date
    Jul 2005
    Location
    Ottawa, Ontario, Canada
    Posts
    23
    Member #
    10674
    Quote Originally Posted by Shadowfiend
    Looks to me like that's the kind of exploit that would only work on a misconfigured server... There's no reason for PHP to be including anything outside of the server root, and I'm pretty sure there's a way of restricting that.
    Regardless of whether that's true or not, its still much safer to have it working off cases than to include a page based solely on the content of a world writable variable.
    Phleetside v2: More content, less ugly
    Go to it

  10. #9
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    That much is true, thus my not contesting the comments to that effect :-).


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 09:17 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com