How do we stop error log "file does not exist"?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do we stop error log "file does not exist"?

Post by simonmlewis »

We have a new error - goodness knows what this means. Maybe you can tell me?

[text][17-Apr-2013 23:51:21] PHP Warning: include(includes/iproduct\' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--.inc) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /home/site/public_html/index_ip.php on line 73[/text]

That file DOES exist. But what's with all the 'convert' stuff? Is something trying to spike us? And if so, how do we stop this.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: How do we stop error log "file does not exist"?

Post by McInfo »

It looks like someone was attempting some SQL injection through the variable you use to build the include path. Fortunately, include() doesn't respond to SQL; but the error does reveal a vulnerability in your code. Before you include the file, test file_exists(). Also it would be wise to make sure the user string doesn't begin with "." or contain "/.". You wouldn't want anyone traversing directories or including .htaccess files.
Last edited by McInfo on Sat Apr 20, 2013 8:52 am, edited 1 time in total.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do we stop error log "file does not exist"?

Post by simonmlewis »

User string?
Do you a file name with a . In it?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: How do we stop error log "file does not exist"?

Post by McInfo »

simonmlewis wrote:User string?
As in the string the user gave to your script. Never assume that users will give you only what you told them to.
simonmlewis wrote:Do you a file name with a . In it?
UNIX platforms have a convention whereby files that begin with a dot are considered private. Servers are generally configured to hide such files from clients (especially .ht* files), but your PHP script can still read and write to them, which is bad news if your script carelessly includes them. Additionally, . is a special directory that means the current directory and .. means the parent directory.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do we stop error log "file does not exist"?

Post by simonmlewis »

I'm already doing this:

Code: Select all

function getPage()
  {
  $thispage="includes/".$_GET['page'].".inc";

  if (file_exists($thispage)) 
  {
   include $thispage;
  } 
  else 
  {
  echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
  }
  }  
Is it not enough?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: How do we stop error log "file does not exist"?

Post by simonmlewis »

Would this be better?

Code: Select all

function getPage()
  {
  $page=mysql_real_escape_string($_GET["page"]);
  $thispage="includes/".$_GET['page'].".inc";

  if (file_exists($thispage)) 
  {
   include $thispage;
  } 
  else 
  {
  echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
  }
  }
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
Post Reply