Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
  1. #1
    Senior Member blindchild02's Avatar
    Join Date
    Jul 2003
    Posts
    214
    Member #
    2030
    Well, for my site right now im using this:

    Code:
    <?php
    				$view = $_GET['view'];
    				if(!$view){$view = "home";}
    				include"$view.php";
    		  ?>
    and for my links, i use ?view=pagename, and it loads the page in the place i put the php..

    but i was informed that hackers can easily hack my server by inputting their own file, instead of my pagename...

    are there any alternatives to this?
    (im not a php coder)
    Carchops.com
    --------------------------------------------
    www.blind-fate.com

  2.  

  3. #2
    Senior Member jbagley's Avatar
    Join Date
    Sep 2004
    Location
    Cape Town
    Posts
    845
    Member #
    7422
    I don't think a hacker could get in and hack your server that way... All a person could do is change the view=pagename into something, and if you didnt have a page named that, it would return a 404 (document not found).

    So it's safe to use.

  4. #3
    Senior Member blindchild02's Avatar
    Join Date
    Jul 2003
    Posts
    214
    Member #
    2030
    well, i was told they could do.. ?view=http://page.com

    or whatever, and it would mess me up and whatnot
    Carchops.com
    --------------------------------------------
    www.blind-fate.com

  5. #4
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    Uh, they can request a file that does exist with sensitive information like a configuration file containing usernames and passwords.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  6. #5
    Senior Member blindchild02's Avatar
    Join Date
    Jul 2003
    Posts
    214
    Member #
    2030
    Quote Originally Posted by filburt1
    Uh, they can request a file that does exist with sensitive information like a configuration file containing usernames and passwords.
    is that sarcasm or something? lol
    Carchops.com
    --------------------------------------------
    www.blind-fate.com

  7. #6
    Senior Member Fallout's Avatar
    Join Date
    Aug 2003
    Location
    Richmond, Virginia
    Posts
    543
    Member #
    2748
    Its not sarcasm at all... its a real issue. For example:

    ?view=.htpassword or ?view=.htaccess could be used to grab the passwords for any protected directories or ?view=../dbinfo.txt, etc. could let someone read your DB connection info.

  8. #7
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    One way is to define an array of allowed parameters, and if $_GET['view'] matches, then proceed.

    PHP Code:
    <?php

    /* This script:
           gets the ?view param
           checks them against an array of allowed values
           if there is a match, run the include line.
          else, display a file of your choice/do what you wish
    */

    $view trim($_GET['view']); // remove extra spaces and so on..
    // here is the array of allowed pages

    $allow = array("home.php""faq.php""images.php""blah.php");

    // check for match

    if(in_array($view$allow)
             {
                 include(
    $view);
             }
    else
             {
                 include(
    "defaultpage.php"); // you could use $array[0] for home.php
                // or you could echo "Baf user! etc..
             
    }
    ?>
    Hope that helps.

  9. #8
    Senior Member blindchild02's Avatar
    Join Date
    Jul 2003
    Posts
    214
    Member #
    2030
    and i add that where i want the page to load??

    and do i keep the ?view=page for the links?
    Carchops.com
    --------------------------------------------
    www.blind-fate.com

  10. #9
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    You add that to whatever page you want to include the page.

    For example, you have a file named page.php which includes the value of ?page

    Your link would be like
    HTML Code:
    <a href="page.php?view=faq.php">View faq</a>

  11. #10
    Senior Member blindchild02's Avatar
    Join Date
    Jul 2003
    Posts
    214
    Member #
    2030
    I get this error:

    arse error: parse error, unexpected '}' in index2.php on line 146
    Carchops.com
    --------------------------------------------
    www.blind-fate.com


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:01 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com