Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 8 of 8
  1. #1
    Junior Member danburke's Avatar
    Join Date
    Jul 2006
    Posts
    29
    Member #
    13573
    I'm using the code below to include a page defined in the url. The website has been hacked and I think it is because my php allows the person to include any page they want. Can I limit includes to things only coming from my website.

    Code:
                   <?php
        $page = $_GET['page'];    /* gets the variable $page */
        if ($page) {
            include($page);
        }     /* if $page has a value, include it */
        else {
            include('home.php');
        }     /* otherwise, include the default page */
    ?>
    heres what a url looks like: forcedlaughter.com/index.php?page=contact.php

  2.  

  3. #2
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    A few ways, one is using [phpfunction]in_array[/phpfunction]

    PHP Code:
    <?php
    $files 
    = array("contact.php""about.php""meh.php""pictures.php");
    $page $_GET['page'];
    if (
    in_array($page$files)) {
       include(
    $page);
     } else {
      include(
    "home.php");
     }
    ?>

  4. #3
    Junior Member danburke's Avatar
    Join Date
    Jul 2006
    Posts
    29
    Member #
    13573
    thanks for the help, but is there a way to say "only things from forcedlaughter.com" because there's currently 20 pages and pages get added regulary when my client films new sketches. I feel like a 20+ item list is inefficient if there is another way.

  5. #4
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    Sure.

    What this script does is assigns a variable to the name of the page being viewed.

    It then assigns another variable to the root domain, in my case while testing this was www.bfsog.co.uk, yours would be www.forcedlaughter.com

    Then I search for the domain variable in the variable that holds the filename.

    Example: search for hello.com in hello.com/file1.htm

    If it is found, display the file specified by the page parameter, if not display the home file.

    PHP Code:
    <?php

    $page 
    $_GET['page'];
    $mydomain "YOUR DOMAIN HERE/"// eg: www.hello.com/ - the / at the end is important
    $mydomain .= $page;

    $var =  $_SERVER['HTTP_HOST']; // will return www.yourdomain.com

    $pos strpos($mydomain$var);

    if(
    $pos === false)
     {
      include(
    "home.php");
     } else
     {
      include(
    $page);
     }

    ?>
    Still a bit of a security risk, as they could try and include files on your webspace and generate 404's. Although that could be fixed with a file_exists.

    PHP Code:
    <?php

    $page 
    $_GET['page'];
    $mydomain "www.bfsog.co.uk/"// eg: www.hello.com/ - the / at the end is important
    $mydomain .= $page;

    $var =  $_SERVER['HTTP_HOST']; // will return www.yourdomain.com

    $pos strpos($mydomain$var);

    if(
    $pos === false)
     {
      include(
    "home.php");
     } else
     {
      if(
    file_exists($page))
       {
         include(
    $page);
       }
     }

    ?>
    Hope that helps

  6. #5
    Junior Member danburke's Avatar
    Join Date
    Jul 2006
    Posts
    29
    Member #
    13573
    when I used the second code nothing would load but there also wasn't an error message. When I used the first code, this error came up:
    Warning: main() [function.include]: Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/forcedla/public_html/index.php on line 68
    Line 68 is
    HTML Code:
      include($page);
    .

    Then, I used the second code without changing www.bfsog.co.uk to www.forcedlaughter.com, and it loads the homepage but nothing else.

  7. #6
    Senior Member
    Join Date
    May 2003
    Location
    UK
    Posts
    2,354
    Member #
    1326
    Can you post the code you have?

    Also check for

    1: the get parameter (examplefile.php?page=something) - the ?page part, is it called page?
    2: Try echo $page inside the else statement.

  8. #7
    Junior Member danburke's Avatar
    Join Date
    Jul 2006
    Posts
    29
    Member #
    13573
    I really appreciate your help, the only problem is the homepage doesn't load when you go to index.php, or if the page doesnt exist. Heres the code.
    Code:
    <?php
    
    $page = $_GET['page'];
    $mydomain = "www.forcedlaughter.com/"; // eg: www.hello.com/ - the / at the end is important
    $mydomain .= $page;
    
    $var =  $_SERVER['HTTP_HOST']; // will return www.yourdomain.com
    
    $pos = strpos($mydomain, $var);
    
    if($pos === false)
    {
      include("home.php");
    } else
    {
      if(file_exists($page))
       {
         include($page);
       }
    }
    
    ?>

  9. #8
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    I would suggest reconsidering your entire approach. There is likely a cleaner way to accomplish what you want--selectively including content on a page, it would seem. Your solution is basic, but high-maintenance and as you can see, highly insecure--under some circumstances, I could view your page and get the passwords of all users on that computer, or include the page itself recursively and crash your server if I do it enough.

    Consider something as simple as static HTML includes, enforcing what directory they come from and the .html extension, to more robust solutions like templates powered by engines such as Smarty. The custom pages I make here are only a handful of lines of PHP and are generated instead from templates powered by vBulletin.
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 07:32 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com