Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 7 of 7
  1. #1
    Senior Member leprechaun13's Avatar
    Join Date
    May 2005
    Location
    Northampton
    Posts
    487
    Member #
    10058
    Im trying to secure a sites includes so people cant call up any php file they like. I have tried the following but cant see where im going wrong can somebody please correct me

    PHP Code:
    <?php
    $page 
    array_key_exists('pid'$_GET);

    switch ( 
    $pid )
        {
            case 
    "001" :
                include 
    'includes/home.php';
                break;
            
            case 
    "002" :
                include 
    'includes/faq.php';
                break;
            
            case 
    "003" :
                include 
    'includes/homevisits.php';
                break;
            
            case 
    "004" :
                include 
    'includes/help.php';
                break;
            
            case 
    "005" :
                include 
    'includes/links.php';
                break;
            
            default :
                include 
    'includes/home.php';
                break;
        }
    ?>
    Regards Phil,


  2.  

  3. #2
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,733
    Member #
    5580
    Liked
    718 times
    $page = array_key_exists('pid', $_GET);

    switch ( $page )


  4. #3
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    :-P

    Also, your problem would more easily (and far more elegantly) be solved by putting all the file names in an array and using the $page argument to index into it.

  5. #4
    Senior Member leprechaun13's Avatar
    Join Date
    May 2005
    Location
    Northampton
    Posts
    487
    Member #
    10058
    how would i go about this my php skills arent the best and ive never used arrays
    Regards Phil,


  6. #5
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Well, you've got numbers -- 1, 2, 3, 4, 5, what have you. Make them start at 0 and then have an array:
    PHP Code:
    $uris = Array( 'includes/home.php''includes/whatever', ... );

    if ( 
    $page count$uris ) )
        include( 
    $uris[$page] );
    else
        include( 
    'includes/home.php' ); 
    Basically, arrays are indexed with [], they start numbering at 0, and we say that if the page is less than the count (i.e., the number of elements in the array), then we include that page; otherwise, we include the default one.

    Worth mentioning is that you may have to convert the string to an integer before doing this, as otherwise it'll try to index the array by a string, which won't work. Make sure if you convert the string to an integer that you're converting, e.g., `1' and not `001', as the latter will most likely be interpreted as an octal number.

  7. #6
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    For some reason my mind screams security warning at that technique... though I'm not sure why. Maybe I just never trust inputs (especially GETs) to specify an include...

    So for all needs and purposes, please valide that GET value before you use it.
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  8. #7
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    One must always validate inputs, but this is a much safer way to include files by GET request than, say, passing the filename as a GET parameter. This way, the potential attacker is restricted to the files that you are expecting would get included -- the worst they could do, assuming all include files are meant for public consumption (which it looks like they are), is to break the script by including an unexpected file and causing an error for whatever reason.

    Granted, this exposes part of how your application works, but that's only if you actually display errors, which typically production servers don't.


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 08:29 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com