Page 1 of 1
problems with path
Posted: Tue Jul 26, 2005 2:46 am
by dizeta
hi,
i have this problem:
i'm using a template system
index.php:
Code: Select all
include("header.php");
include("menu.php");
$p="main";
if(isset($_GET['page'])){
$p=$_GET['page'];
if($p!=basename($p) || !preg_match("/^[A-Za-z0-9\-_]+$/",$p) || $p=="index" || !file_exists($p.".php"))
$p="error";
}
include($p.".php");
include("footer.php");
the problem is that script is loading pages that are stored into the same index directory.
for example querystring like:
it works 'cause login.php is into the same index directory, but if login.php is stored into
auth/login.php the querystring doesn't work
i'd like to modify that script to allow me insert different paths.
thank's to all
Posted: Tue Jul 26, 2005 5:06 am
by anjanesh
Have you tried
index.php?page=auth%2Flogin
?
Posted: Tue Jul 26, 2005 7:39 am
by dizeta
yes and doesn't work...

Posted: Tue Jul 26, 2005 7:41 am
by timvw
That is because if you have $_GET['page'] = 'auth/foo.php'
basename($p) is not equal to $p...
Posted: Tue Jul 26, 2005 8:28 am
by dizeta
mmh...
i'm not sure to understand
auth/login is just a example, because i can have different scripts running and so need different paths...
i.e:
login = auth/login
news = news/news
admin = admin/index
Posted: Tue Jul 26, 2005 9:54 am
by timvw
Well, your code has
if($p!=basename($p)..
So, if you understand what that your code does, you'll understand why it doesn't allow ?page=auth/foo...
Simply remove the test.. and things work.. But you want to avoid people requesting pages that are not in the document_base... So you might be interested in
realpath to test if it's really in the document_base...
Posted: Fri Jul 29, 2005 8:28 am
by dizeta
hi,
after almost a week i've found the solution..
Code: Select all
$sectionFolder = 'sections/';
if( $handle = &opendir( $sectionFolder ) ) {
$sections = Array();
while( false !== ( $file = &readdir( $handle ) ) ) {
if( array_pop( explode( '.', $file ) ) == 'php' ) {
array_push( $sections, substr( $file, 0, -4 ) );
}
}
if( isset( $_GETї'page'] ) == false || $_GETї'page'] == 'main' ) {
$_GETї'page'] = 'main';
}
elseif( realpath(in_Array( $_GETї'page'], $sections )) == false ) {
$_GETї'page'] = 'error';
}
include($sectionFolder.$_GETї'page'].'.php');
}
what do you think? i mean about security issue
thanks
Posted: Fri Jul 29, 2005 8:59 am
by timvw
Security wise it seems ok.. But i think it's a bit useless to read the complete directory contents every time..
Here is how i would do it (untested)
Code: Select all
$sectionFolder = 'sections/';
$page = 'main';
if (isset($_GET['page']))
{
$sectpath = realpath($sectionFolder);
$filepath = realpath($_GET['page'] . '.php');
if (is_readable($filepath) && $filepath == $sectpath . '/' . $_GET['page'] . '.php')
{
$page = $_GET['page'];
}
}
include($filepath);
Posted: Sun Jul 31, 2005 5:09 pm
by thomas777neo
Can't you just set your include_path aswell?
Posted: Sun Jul 31, 2005 5:25 pm
by bokehman
I can't understand why you would be using a query string for this. You should just use a straight URL