Variables == Difficult

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Variables == Difficult

Post by danharibo »

im trying to make a Dynamic page Using Txt Files and fopen. But its not going to good:

Code: Select all

if($page == '')
{
$page = "./index.txt";
}
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
Causes this:

Notice: Undefined variable: page in c:\program files\easyphp1-8\www\sufsite\index.php on line 15
im not sure How to fix it :(
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Where is $page coming from??? In case you're reading an outdated manual, here's a hint: http://us2.php.net/reserved.variables...

And you probably might want to check http://www.php.net/isset, http://www.php.net/empty, etc too...
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

?page=news.txt ?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You need to set $page equal to something before you check if its value equals something OR you need to check if it isset() or if it is empty() (as timvw helpfully pointed out).
AlecH
Forum Commoner
Posts: 27
Joined: Fri Feb 24, 2006 4:22 pm
Location: New Hampshire

Post by AlecH »

This looks like what you are looking for.

Code: Select all

$page = trim($_GET['page'];
if($page == '')
{
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
}
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

AlecH wrote:This looks like what you are looking for.

Code: Select all

$page = trim($_GET['page'];
if($page == '')
{
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
}
But that results in a warning about an undefined variable when there is no page variable in the url... The following code on the other hand doesn't have that problem...

Code: Select all

if (isset($_GET['page'])) {
  //
}
Another problem is that the use of this variable, without performing any checks on it, allows a malicious user to request any page he wants.. And as long as the webserver has read access to that file, he'll get to see the contents...

If you really want to do that, at least use http://www.php.net/real_path to verify if the page comes from a place where it's allowed to request pages from ;)


Anyway, i'm pretty sure the OP did not bother to carefully read the links i posted... So i'll stop bothering about his problems too..
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The code posted is a security hole waiting to be exploited. I would suggest implementing the "$_GET and includes" thread linked from Useful Posts if that route is desired.
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

once i finish the script it will add '.txt' to the end, so how is it a Security hole? anway il just use empty/isset
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

:(
Neither:

Code: Select all

if(!isset($page))
{
$page = "./index.txt";
}
Or:

Code: Select all

if(empty($page))
{
$page = "./index.txt";
}
won't work. Take a peek:
*Removed*
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

Anybody? those 2 Just load index.txt regardlless
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

danharibo wrote: once i finish the script it will add '.txt' to the end, so how is it a Security hole? anway il just use empty/isset
I wonder why i still bother...

viewtopic.php?t=36850&postdays=0&postor ... ed2a0deafb why simply prepending something isn't safe...
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

ok, so:

Code: Select all

$RealPage = str_replace('../', '',$page);
]
Would be safer?
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

why not use a key for each page you want to show? in such way you can be safe from any kind of path manipulation hacks..

Code: Select all

<?php
$page = $_GET['page'];
$pageList = array('home'=>'index.txt', 'news'=>'news.txt', /*...add here to your heart's content*/ );
$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];

/* continue with your jig */
?>
danharibo
Forum Commoner
Posts: 76
Joined: Thu Aug 17, 2006 8:56 am

Post by danharibo »

Parse error: parse error in c:\program files\easyphp1-8\www\sufsite\index.php on line 18

$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];

:(
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

eeeks my bad!!!

Code: Select all

$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];
should be

Code: Select all

$page = in_array($page, array_keys($pageList)) ? $pageList[$page] : $pageList['home'];
Post Reply