checking if file exists on my server

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

checking if file exists on my server

Post by shiznatix »

i am using a iframe to display the content in a website. i get the page that should be loaded into the iframe through get. but i know this can be easily messed with by doing index.php?u=http://www.badpage.com. i was wondering if there was a way to check if that file existed in my server or not. or maybe there is a safer kind of way to go about doing that that i don't really know of?
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

I really don't see what you are getting at... if you want to point to a file to your site... just use "http://mysite.com/script.php"?
Or the alternative "http://mysite.com/index.php?page=script.php", however for the last one is not suggested unless you do some testing, such as there is no ".." in the name, etc, but genereally, it is just prepend a "./" to the incoming file, and now it must exists in your server (a good way is otherwise to use realpath (or something like that) which gives you the exact place of the file within your system, giving you the ability to select whether it is allowed or not (depending on where it should be)).
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

thanks i did this

Code: Select all

<?
if ($_GET['op'])
{
    if (file_exists('./'.$_GET['op']))
    {
        require('./'.$_GET['op'].'.php');
    }
    else
    {
        require('welcome.php');
    }
}
else
{
    require('welcome.php');
}
?>
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

however, do note that they could "easily" view e.g. your passwords-files using that. by specifying "../../../etc/passwords" and such.
I still recommend checking for ".." or best of all, realpath.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

No no no

no

no

no!!

That is very very bad :P

A beter way is to have http://www.yoursite.com?page=something (don't even use a filename).

then:

Code: Select all

<?php

switch($_GET['page']) {

    case 'whatever': include('somefile.php');
    break;
    case 'something_else': include('anotherfile.php');
    break;
    default: include('a_default_page.php'); //Key point is this bit
    break;

}

?>
Now if the page they type in the URL isn't in that switch they just get some default page. They can't get any other files this way :D
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

In response to d11wgs message:

I assumed that wouldn't be an option as then he wouldn't really need to pass it as a variable? That could be by having a dynamic folder which is not accessible from the outside.

But of course, if you have static pages then do not ever let the user specify files.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

gah but the switch case method would take me forever to code and im hungry. i have like 50 diffrent files that could be included and then i would have to go through everything and redo all the links. is there a better way?

i only have a few folders it could be in

none
edit
admin
admin/edit

maybe a regular expression to strip out everything beforehand or somthing?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Yeah then in which case there's another way.

Put the allowed directories into an array and then check if the requested file is in one of those directroies (i.e. In the array).

Code: Select all

$allowed = array(

    'none',
    'edit',
    'admin',
    'admin/edit'

);

$page = $_GET['page'];

$path = preg_split('#/[^/]*$#', $page);

if (in_array($path[1], $allowed)) {
    include($page);
} else {
   //Bad request
}
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

I believe it is possible to specify "\" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Syranide wrote:I believe it is possible to specify "" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
How could you still do what you want using a backslash? It doesn't fit the array and would therefore be rejected? :?
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

you specified only "NOT /" (not a backslash) ... backslash would fit in that.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Syranide wrote:you specified only "NOT /" (not a backslash) ... backslash would fit in that.
Yes but it still doesn't match the array. By the way this will NOT work...

http://mydomain.com/folder1/folder2\..\ ... older1.php

if that's what you're getting at?
Post Reply