Page 2 of 2

Re: How do we stop error log "file does not exist"?

Posted: Thu Apr 18, 2013 3:48 am
by simonmlewis
We have a new error - goodness knows what this means. Maybe you can tell me?

[text][17-Apr-2013 23:51:21] PHP Warning: include(includes/iproduct\' or 1=convert(int,chr(114)||chr(51)||chr(100)||chr(109)||chr(48)||chr(118)||chr(51)||chr(95)||chr(104)||chr(118)||chr(106)||chr(95)||chr(105)||chr(110)||chr(106)||chr(101)||chr(99)||chr(116)||chr(105)||chr(111)||chr(110))--.inc) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /home/site/public_html/index_ip.php on line 73[/text]

That file DOES exist. But what's with all the 'convert' stuff? Is something trying to spike us? And if so, how do we stop this.

Re: How do we stop error log "file does not exist"?

Posted: Sat Apr 20, 2013 8:46 am
by McInfo
It looks like someone was attempting some SQL injection through the variable you use to build the include path. Fortunately, include() doesn't respond to SQL; but the error does reveal a vulnerability in your code. Before you include the file, test file_exists(). Also it would be wise to make sure the user string doesn't begin with "." or contain "/.". You wouldn't want anyone traversing directories or including .htaccess files.

Re: How do we stop error log "file does not exist"?

Posted: Sat Apr 20, 2013 8:49 am
by simonmlewis
User string?
Do you a file name with a . In it?

Re: How do we stop error log "file does not exist"?

Posted: Sat Apr 20, 2013 9:04 am
by McInfo
simonmlewis wrote:User string?
As in the string the user gave to your script. Never assume that users will give you only what you told them to.
simonmlewis wrote:Do you a file name with a . In it?
UNIX platforms have a convention whereby files that begin with a dot are considered private. Servers are generally configured to hide such files from clients (especially .ht* files), but your PHP script can still read and write to them, which is bad news if your script carelessly includes them. Additionally, . is a special directory that means the current directory and .. means the parent directory.

Re: How do we stop error log "file does not exist"?

Posted: Mon Apr 22, 2013 3:01 am
by simonmlewis
I'm already doing this:

Code: Select all

function getPage()
  {
  $thispage="includes/".$_GET['page'].".inc";

  if (file_exists($thispage)) 
  {
   include $thispage;
  } 
  else 
  {
  echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
  }
  }  
Is it not enough?

Re: How do we stop error log "file does not exist"?

Posted: Mon Apr 22, 2013 3:05 am
by simonmlewis
Would this be better?

Code: Select all

function getPage()
  {
  $page=mysql_real_escape_string($_GET["page"]);
  $thispage="includes/".$_GET['page'].".inc";

  if (file_exists($thispage)) 
  {
   include $thispage;
  } 
  else 
  {
  echo "<meta http-equiv='Refresh' content='0 ;URL=/error'>";
  }
  }