PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I got an email from my hosting company saying that they had found someone using my site, and my handwritten code, to try and hack into their servers. I have only a basic understanding of what is being exploited and want some advice on how to prevent it.
Below is some of the server log that was emailed to me. Basically I need to secure my includes. Apparently this is not too difficult.
put all the include files in 1 folder, then use a script to load all the file names in a array, or if youdont have many files, just put the names in the array your self, then get the file name from the url, check the array to see if it exists, if so, include it, else include a error page.
OR
get the file name from the url, use [php_man]file_exists[/php_man] function to see if file exists, if it does, include, else include error page.
it does use the url, but doesn't require it. But it doesn't directly use the url in the filename to use. This seperation, and the use of a default value, are the major security things this snippet does.
My main index page looks for an inclusion, and if it doesn't find one it includes a default making my true index page. If it does find one then it loads that one making a page for contacting me via email. So there are only two includes. The only other page on my site - photo.php - uses the url to pass along variables for extracting the next image from the db etc...