Page 2 of 2
Re: How do we stop error log "file does not exist"?
Posted: Thu Apr 18, 2013 3:48 am
by simonmlewis
We have a new error - goodness knows what this means. Maybe you can tell me?
[text][17-Apr-2013 23:51:21] PHP Warning: include(includes/iproduct\' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--.inc) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /home/site/public_html/index_ip.php on line 73[/text]
That file DOES exist. But what's with all the 'convert' stuff? Is something trying to spike us? And if so, how do we stop this.
Re: How do we stop error log "file does not exist"?
Posted: Sat Apr 20, 2013 8:46 am
by McInfo
It looks like someone was attempting some SQL injection through the variable you use to build the include path. Fortunately, include() doesn't respond to SQL; but the error does reveal a vulnerability in your code. Before you include the file, test file_exists(). Also it would be wise to make sure the user string doesn't begin with "." or contain "/.". You wouldn't want anyone traversing directories or including .htaccess files.
Re: How do we stop error log "file does not exist"?
Posted: Sat Apr 20, 2013 8:49 am
by simonmlewis
User string?
Do you a file name with a . In it?
Re: How do we stop error log "file does not exist"?
Posted: Sat Apr 20, 2013 9:04 am
by McInfo
simonmlewis wrote:User string?
As in the string the user gave to your script. Never assume that users will give you only what you told them to.
simonmlewis wrote:Do you a file name with a . In it?
UNIX platforms have a convention whereby files that begin with a dot are considered private. Servers are generally configured to hide such files from clients (especially .ht* files), but your PHP script can still read and write to them, which is bad news if your script carelessly includes them. Additionally, . is a special directory that means the current directory and .. means the parent directory.
Re: How do we stop error log "file does not exist"?
Posted: Mon Apr 22, 2013 3:01 am
by simonmlewis
I'm already doing this:
Code: Select all
function getPage()
{
$thispage="includes/".$_GET['page'].".inc";
if (file_exists($thispage))
{
include $thispage;
}
else
{
echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
}
}
Is it not enough?
Re: How do we stop error log "file does not exist"?
Posted: Mon Apr 22, 2013 3:05 am
by simonmlewis
Would this be better?
Code: Select all
function getPage()
{
$page=mysql_real_escape_string($_GET["page"]);
$thispage="includes/".$_GET['page'].".inc";
if (file_exists($thispage))
{
include $thispage;
}
else
{
echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
}
}