Page 1 of 1

Need your HELP on unchecked variable

Posted: Sun Jun 25, 2006 6:31 pm
by ee01es
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hello,

Please help me!

Code: Select all

<?php
if (count($HTTP_GET_VARS) == 0) {
        $content = 'welcome.php';
        $pageTitle = 'Welcome';
} else {
        $content = $HTTP_GET_VARS['content'] . ".php";      THIS IS LINE 8
        $pageTitle = $HTTP_GET_VARS['pagetitle'];
}
include "library/structure.php";
?>
The problem is that, current line 8 is to be replaced by some code that only allows $content to be set to one of a known list of pages. I have tried with elseif but no luck.

Code: Select all

<?php
if (count($HTTP_GET_VARS) == 0) {
        //print "<meta http-equiv='refresh' content='0; URL=index.php?content=welcome&pagetitle=Welcome'>";
        $content = 'welcome.php';
        $pageTitle = 'Welcome'; }

elseif (count($HTTP_GET_VARS) == 1) {

        $content = 'committee.php';
        $pageTitle = 'Committee Members'; }

elseif (count($HTTP_GET_VARS) == 2) {
        $content = 'events.php';
        $pageTitle = 'Meetings and Events'; }

elseif (count($HTTP_GET_VARS) == 3) {
        $content = 'farewell.php';
        $pageTitle = '2004 Farewell Message'; }

elseif (count($HTTP_GET_VARS) == 4) {
        $content = 'pastevents.php';
        $pageTitle = 'Past Events'; }

else  {
        $content = 'links.php';
        $pageTitle = 'Links'; }

include "library/structure.php";
?>
Many thanks.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Jun 25, 2006 7:08 pm
by tecktalkcm0391
1.) Use the PHP button or tags for php ( [PHP*] without the *)
2.) Tell us what you need help with in depth

Posted: Sun Jun 25, 2006 7:58 pm
by feyd
You may want to look using a switch().

Need your HELP on unchecked variable

Posted: Mon Jun 26, 2006 6:22 pm
by ee01es
Hi Feyd,

Thank you for your advice and the hint on using "switch", but it does not seem to be working correct for me :!:

BR, Eha

Posted: Mon Jun 26, 2006 6:29 pm
by Luke
post your code of it "not working correct" so we can see what's wrong

Posted: Mon Jun 26, 2006 6:44 pm
by ee01es
Thank you very much for your quick reply.

Code: Select all

<?php
$fp = fopen ("menu.csv","r");
while ($data = fgetcsv ($fp, 1000, ",")) {
        if ($HTTP_GET_VARS['content'] == $data[1]) {
                print "<span class=menucurrent>" . $data[0] . "</span><br>\n";
        } else {
                print "<a class=menu href=\"index.php?content=" . $data[1] . "&pagetitle=" . $data[0] . "\">" . $data[0] . "</a><br>\n";
        }
}
fclose ($fp);
?>


<a class=menu href="http://www.iee.org.uk" target="_blank">IEE </a><br>

</font>
</td>

<td class=bodytext valign=top>
<!--Contents of the page inserted below here from file given in the php variable $content-->



<center>
<h1><?php print $siteTitle ?></h1>
<h2><?php print $pageTitle ?></h2>
</center>



<?php include $content; ?>     THIS IS NOT CHECKED***
<p class=note>


<?php $update_date = date ("jS F Y", filemtime($content)); ?>
Last Updated: <?php print $update_date; ?>  Webdevelopment: <a href="mailto:<?php print $webdev_email; ?>"><?php print $webdev_name; ?></a>


***The script above accepts a variable 'content' which is not checked before being passed into a PHP 'include' command. As a result, an
attacker can pass content=http://www.badsite.com/evilcode.htm to your site and the server will include this code in your site.

So, I need to introduce checking into my script to ensure that it is not possible to pass unchecked variables into the script, and to ensure that these are not then used within an 'include' or 'require' statement.

The problem is that, current line 8 in the previous source is to be replaced by some code that only allows $content to be set to one of a known list of pages. I have tried with elseif but no luck. I have got the list of pages in menu.csv and therefore I could do something like loop through menu.csv until the page name equals $HTTP_GET_VARS['content'] and then set $content to be that, else set $content to the default welcome page. What do you think? Any ideas on how to do it?

Many thanks for your support.
Cheers, Eha

Need your HELP on unchecked variable

Posted: Mon Jun 26, 2006 7:09 pm
by ee01es
Hi Chris, Thanks for the reply.

Please find the requested info!

Cheers, Eha