We have a new error - goodness knows what this means. Maybe you can tell me?
[text][17-Apr-2013 23:51:21] PHP Warning: include(includes/iproduct\' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--.inc) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /home/site/public_html/index_ip.php on line 73[/text]
That file DOES exist. But what's with all the 'convert' stuff? Is something trying to spike us? And if so, how do we stop this.
How do we stop error log "file does not exist"?
Moderator: General Moderators
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do we stop error log "file does not exist"?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do we stop error log "file does not exist"?
It looks like someone was attempting some SQL injection through the variable you use to build the include path. Fortunately, include() doesn't respond to SQL; but the error does reveal a vulnerability in your code. Before you include the file, test file_exists(). Also it would be wise to make sure the user string doesn't begin with "." or contain "/.". You wouldn't want anyone traversing directories or including .htaccess files.
Last edited by McInfo on Sat Apr 20, 2013 8:52 am, edited 1 time in total.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do we stop error log "file does not exist"?
User string?
Do you a file name with a . In it?
Do you a file name with a . In it?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: How do we stop error log "file does not exist"?
As in the string the user gave to your script. Never assume that users will give you only what you told them to.simonmlewis wrote:User string?
UNIX platforms have a convention whereby files that begin with a dot are considered private. Servers are generally configured to hide such files from clients (especially .ht* files), but your PHP script can still read and write to them, which is bad news if your script carelessly includes them. Additionally, . is a special directory that means the current directory and .. means the parent directory.simonmlewis wrote:Do you a file name with a . In it?
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do we stop error log "file does not exist"?
I'm already doing this:
Is it not enough?
Code: Select all
function getPage()
{
$thispage="includes/".$_GET['page'].".inc";
if (file_exists($thispage))
{
include $thispage;
}
else
{
echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
}
} Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: How do we stop error log "file does not exist"?
Would this be better?
Code: Select all
function getPage()
{
$page=mysql_real_escape_string($_GET["page"]);
$thispage="includes/".$_GET['page'].".inc";
if (file_exists($thispage))
{
include $thispage;
}
else
{
echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
}
}Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.