Page 1 of 1

problems with path

Posted: Tue Jul 26, 2005 2:46 am
by dizeta
hi,

i have this problem:
i'm using a template system
index.php:

Code: Select all

include("header.php");

include("menu.php");
$p="main";
if(isset($_GET['page'])){
    $p=$_GET['page'];
    if($p!=basename($p) || !preg_match("/^[A-Za-z0-9\-_]+$/",$p) || $p=="index" || !file_exists($p.".php"))
        $p="error";
    }

include($p.".php");
include("footer.php");
the problem is that script is loading pages that are stored into the same index directory.
for example querystring like:

Code: Select all

index.php?page=login
it works 'cause login.php is into the same index directory, but if login.php is stored into auth/login.php the querystring doesn't work


i'd like to modify that script to allow me insert different paths.

thank's to all

Posted: Tue Jul 26, 2005 5:06 am
by anjanesh
Have you tried

index.php?page=auth%2Flogin

?

Posted: Tue Jul 26, 2005 7:39 am
by dizeta
yes and doesn't work...
:?:

Posted: Tue Jul 26, 2005 7:41 am
by timvw
That is because if you have $_GET['page'] = 'auth/foo.php'

basename($p) is not equal to $p...

Posted: Tue Jul 26, 2005 8:28 am
by dizeta
mmh...

i'm not sure to understand :?

auth/login is just a example, because i can have different scripts running and so need different paths...

i.e:
login = auth/login
news = news/news
admin = admin/index

Posted: Tue Jul 26, 2005 9:54 am
by timvw
Well, your code has if($p!=basename($p)..

So, if you understand what that your code does, you'll understand why it doesn't allow ?page=auth/foo...

Simply remove the test.. and things work.. But you want to avoid people requesting pages that are not in the document_base... So you might be interested in realpath to test if it's really in the document_base...

Posted: Fri Jul 29, 2005 8:28 am
by dizeta
hi,

after almost a week i've found the solution.. :lol:

Code: Select all

$sectionFolder = 'sections/';
if( $handle = &opendir( $sectionFolder ) ) {
    $sections = Array();
    while( false !== ( $file = &readdir( $handle  ) ) ) {
        if( array_pop( explode( '.', $file ) ) == 'php' ) {
            array_push( $sections, substr( $file, 0, -4 ) );
        }
    }
    if( isset( $_GETї'page'] ) == false || $_GETї'page'] == 'main' ) {
        $_GETї'page'] = 'main';
    }
    elseif( realpath(in_Array( $_GETї'page'], $sections )) == false ) {
        $_GETї'page'] = 'error';
    }
    include($sectionFolder.$_GETї'page'].'.php');
}
what do you think? i mean about security issue

thanks

Posted: Fri Jul 29, 2005 8:59 am
by timvw
Security wise it seems ok.. But i think it's a bit useless to read the complete directory contents every time..

Here is how i would do it (untested)

Code: Select all

$sectionFolder = 'sections/';
$page = 'main';

if (isset($_GET['page']))
{
  $sectpath = realpath($sectionFolder);
  $filepath = realpath($_GET['page'] . '.php');

  if (is_readable($filepath) && $filepath == $sectpath . '/' . $_GET['page'] . '.php')
  {
    $page = $_GET['page'];
  }
}
include($filepath);

Posted: Sun Jul 31, 2005 5:09 pm
by thomas777neo
Can't you just set your include_path aswell?

Posted: Sun Jul 31, 2005 5:25 pm
by bokehman
I can't understand why you would be using a query string for this. You should just use a straight URL