Load page into itself...??
Moderator: General Moderators
Load page into itself...??
Hello All!,
Forgive my lack of terminolgy here; I tried a search for something related to my problem - but I'm not even sure what to search for. Let me describe:
I have a contact form located here: <http://www.in2gration.com/index.php>
It uses cjdesign's web2mail script and works quite well - it does exactly what it should. What I would like to be able to do is have the thankyou.php and/or the error notification load into the same container when the 'send mail' button is selected - currently both load into a new browser window. I've tried several things but am either not using the correct code or not putting the code in the correct place.
If any further info is required, please let me know - I'm happy to post whatever is needed to help resolve this.
Any/All guidance would be very much appreciated!!
Thanks and Happy Holidays!
Forgive my lack of terminolgy here; I tried a search for something related to my problem - but I'm not even sure what to search for. Let me describe:
I have a contact form located here: <http://www.in2gration.com/index.php>
It uses cjdesign's web2mail script and works quite well - it does exactly what it should. What I would like to be able to do is have the thankyou.php and/or the error notification load into the same container when the 'send mail' button is selected - currently both load into a new browser window. I've tried several things but am either not using the correct code or not putting the code in the correct place.
If any further info is required, please let me know - I'm happy to post whatever is needed to help resolve this.
Any/All guidance would be very much appreciated!!
Thanks and Happy Holidays!
That was fast!! ...and it works too. I almost had it then, but I was using the full file name rather than c=12.
For the second part of your reply: I know what directory traversal is, but what exactly are the implications of the way I've applied that code? Is there a more secure way that would provide the same functionality that I have now?
Thanks very much for your time thus far, greatly appreciated.
For the second part of your reply: I know what directory traversal is, but what exactly are the implications of the way I've applied that code? Is there a more secure way that would provide the same functionality that I have now?
Thanks very much for your time thus far, greatly appreciated.
somewhere in your index.php you have something like this:
There you used the value ($_GET['c']) supplied by a user and did not validate it properly. You're assuming that $_GET['s'] is an integer, but you did not validate this fact. Currently it does not pose any serious risk (aside from the path disclosure because of display_errors turned on) because there's no 'content' directory in /home/sites/site112/web/. But if it was there one would be able to visit /index.php?c=../../../../../path/to/any/file%00 and read arbitrary files. Such attacks are usually called 'directory traversals'.
To fix it you would code something like this:
Code: Select all
//........skipped......
include('content' . $_GETї'c'] . '.php');
//........skipped......To fix it you would code something like this:
Code: Select all
//........skipped......
$filename = 'content' . intval($_GETї'c']) . '.php';
if( !file_exists($filename) ) { // use default filename if file is absent
$filename = 'content1.php';
}
include($filename);
//........skipped......Code: Select all
intval[/php_man] is used to make sure we have an integer and if( !Code: Select all
file_exists[/php_man]($filename) ) is used to prevent path disclosure regardless of the display_errors being on or off.Would I be divulging anything by posting tha actual code from index.php?
You've almost hit it right on the head though. How did you determine the path
/home/sites/site112/web/?
I have an 'else' in there that loads 'content' if no other value is selected... i.e c1, c2, etc. How does the code you provided (7 lines) incorporate that?
Please forgive the naive questions...I'm beginning to think that I need to learn alot more about php.
Again, thanks.
You've almost hit it right on the head though. How did you determine the path
/home/sites/site112/web/?
I have an 'else' in there that loads 'content' if no other value is selected... i.e c1, c2, etc. How does the code you provided (7 lines) incorporate that?
Please forgive the naive questions...I'm beginning to think that I need to learn alot more about php.
Again, thanks.