Load page into itself...??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Maxaipa
Forum Newbie
Posts: 17
Joined: Sat May 10, 2003 6:08 pm

Load page into itself...??

Post by Maxaipa »

Hello All!,

Forgive my lack of terminolgy here; I tried a search for something related to my problem - but I'm not even sure what to search for. Let me describe:

I have a contact form located here: <http://www.in2gration.com/index.php>

It uses cjdesign's web2mail script and works quite well - it does exactly what it should. What I would like to be able to do is have the thankyou.php and/or the error notification load into the same container when the 'send mail' button is selected - currently both load into a new browser window. I've tried several things but am either not using the correct code or not putting the code in the correct place.

If any further info is required, please let me know - I'm happy to post whatever is needed to help resolve this.

Any/All guidance would be very much appreciated!!
Thanks and Happy Holidays!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

use /index.php?c=12 as 'action' attribute for the form. And watch out for directory traversal attacks, include($_REQUEST['userinput']); never was a good idea.
Maxaipa
Forum Newbie
Posts: 17
Joined: Sat May 10, 2003 6:08 pm

Post by Maxaipa »

That was fast!! ...and it works too. I almost had it then, but I was using the full file name rather than c=12.

For the second part of your reply: I know what directory traversal is, but what exactly are the implications of the way I've applied that code? Is there a more secure way that would provide the same functionality that I have now?

Thanks very much for your time thus far, greatly appreciated.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

somewhere in your index.php you have something like this:

Code: Select all

//........skipped......
include('content' . $_GET&#1111;'c'] . '.php');
//........skipped......
There you used the value ($_GET['c']) supplied by a user and did not validate it properly. You're assuming that $_GET['s'] is an integer, but you did not validate this fact. Currently it does not pose any serious risk (aside from the path disclosure because of display_errors turned on) because there's no 'content' directory in /home/sites/site112/web/. But if it was there one would be able to visit /index.php?c=../../../../../path/to/any/file%00 and read arbitrary files. Such attacks are usually called 'directory traversals'.

To fix it you would code something like this:

Code: Select all

//........skipped......
$filename = 'content' . intval($_GET&#1111;'c']) . '.php';
if( !file_exists($filename) ) { // use default filename if file is absent
    $filename = 'content1.php'; 
}
include($filename);
//........skipped......

Code: Select all

intval[/php_man] is used to make sure we have an integer and if( !

Code: Select all

file_exists[/php_man]($filename) ) is used to prevent path disclosure regardless of the display_errors being on or off.
Maxaipa
Forum Newbie
Posts: 17
Joined: Sat May 10, 2003 6:08 pm

Post by Maxaipa »

Would I be divulging anything by posting tha actual code from index.php?
You've almost hit it right on the head though. How did you determine the path
/home/sites/site112/web/?

I have an 'else' in there that loads 'content' if no other value is selected... i.e c1, c2, etc. How does the code you provided (7 lines) incorporate that?

Please forgive the naive questions...I'm beginning to think that I need to learn alot more about php.

Again, thanks.
Maxaipa
Forum Newbie
Posts: 17
Joined: Sat May 10, 2003 6:08 pm

Post by Maxaipa »

Weirdan,

I think I answered my own questions. Your suggestion appears to have worked, now I see what you're tallking about.

Excellent advice, by the way.

I guess that's why I stuck to networking and systems rather than web development.

Much appreciated.

Cheers!!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

you're welcome :D.
Maxaipa
Forum Newbie
Posts: 17
Joined: Sat May 10, 2003 6:08 pm

Post by Maxaipa »

give a man a fish and he can eat for a day... but teach him to fish...

...we all know the rest.

worldcommunitygrid looks good... I was really never into looking for aliens anyway.
Post Reply