checking if file exists on my server
Moderator: General Moderators
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
checking if file exists on my server
i am using a iframe to display the content in a website. i get the page that should be loaded into the iframe through get. but i know this can be easily messed with by doing index.php?u=http://www.badpage.com. i was wondering if there was a way to check if that file existed in my server or not. or maybe there is a safer kind of way to go about doing that that i don't really know of?
I really don't see what you are getting at... if you want to point to a file to your site... just use "http://mysite.com/script.php"?
Or the alternative "http://mysite.com/index.php?page=script.php", however for the last one is not suggested unless you do some testing, such as there is no ".." in the name, etc, but genereally, it is just prepend a "./" to the incoming file, and now it must exists in your server (a good way is otherwise to use realpath (or something like that) which gives you the exact place of the file within your system, giving you the ability to select whether it is allowed or not (depending on where it should be)).
Or the alternative "http://mysite.com/index.php?page=script.php", however for the last one is not suggested unless you do some testing, such as there is no ".." in the name, etc, but genereally, it is just prepend a "./" to the incoming file, and now it must exists in your server (a good way is otherwise to use realpath (or something like that) which gives you the exact place of the file within your system, giving you the ability to select whether it is allowed or not (depending on where it should be)).
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
thanks i did this
Code: Select all
<?
if ($_GET['op'])
{
if (file_exists('./'.$_GET['op']))
{
require('./'.$_GET['op'].'.php');
}
else
{
require('welcome.php');
}
}
else
{
require('welcome.php');
}
?>- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
No no no
no
no
no!!
That is very very bad
A beter way is to have http://www.yoursite.com?page=something (don't even use a filename).
then:
Now if the page they type in the URL isn't in that switch they just get some default page. They can't get any other files this way 
no
no
no!!
That is very very bad
A beter way is to have http://www.yoursite.com?page=something (don't even use a filename).
then:
Code: Select all
<?php
switch($_GET['page']) {
case 'whatever': include('somefile.php');
break;
case 'something_else': include('anotherfile.php');
break;
default: include('a_default_page.php'); //Key point is this bit
break;
}
?>- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
gah but the switch case method would take me forever to code and im hungry. i have like 50 diffrent files that could be included and then i would have to go through everything and redo all the links. is there a better way?
i only have a few folders it could be in
none
edit
admin
admin/edit
maybe a regular expression to strip out everything beforehand or somthing?
i only have a few folders it could be in
none
edit
admin
admin/edit
maybe a regular expression to strip out everything beforehand or somthing?
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Yeah then in which case there's another way.
Put the allowed directories into an array and then check if the requested file is in one of those directroies (i.e. In the array).
Put the allowed directories into an array and then check if the requested file is in one of those directroies (i.e. In the array).
Code: Select all
$allowed = array(
'none',
'edit',
'admin',
'admin/edit'
);
$page = $_GET['page'];
$path = preg_split('#/[^/]*$#', $page);
if (in_array($path[1], $allowed)) {
include($page);
} else {
//Bad request
}I believe it is possible to specify "\" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
How could you still do what you want using a backslash? It doesn't fit the array and would therefore be rejected?Syranide wrote:I believe it is possible to specify "" in names, even on linux (in PHP).
meaning that you still can do whatever you want, so I would say a good thing would be to use ctype_alpha or so too to make sure they aren't trying anything and I doubt you will use anything other either so. (e.g. could specify "../index.php" too otherwise)
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Yes but it still doesn't match the array. By the way this will NOT work...Syranide wrote:you specified only "NOT /" (not a backslash) ... backslash would fit in that.
http://mydomain.com/folder1/folder2\..\ ... older1.php
if that's what you're getting at?