Page 1 of 2

A simple include script problem!

Posted: Sun Oct 07, 2007 3:33 pm
by glav
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


OK - I have a small problem but it's bugging me out.

The little script I'm using is

Code: Select all

<?php      
if (@$a) {
    include "".$a.".inc";
} else {
    include "".main.".inc";
}
?>
First of all and I think I should ask these questions one at a time and get the answer for the fists one before asking the second.
Thats for my own benifit, so I don't get confused.

Question 1: In this script if the value for $a does not exist does the script then load main.php or does it only load main.php when the variable is not pass.

What I mean is this: http://www.sitename.com/index.php?a=nosuchfile

Does main.php load

OR

http://www.sitename.com/index.php

Only loads when the variable is not passed.

Or does it load for both cases.

Thanks


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Oct 07, 2007 3:36 pm
by feyd
There's a thread linked from Useful Posts you need to read regarding this type of code.

Posted: Sun Oct 07, 2007 3:39 pm
by Zoxive
Whats the the error suppression?

Code: Select all

if(!empty($_GET['a'])){
// $_GET['a'] Also Should be Filtered/Escaped/Checked
  include($_GET['a'] . '.inc'); // Edit: Forgot `.`
}else{
  include('main.inc');
}

Posted: Sun Oct 07, 2007 3:47 pm
by glav
Zoxive, I tried that and got the error.

Warning: main(jetlagphp) [function.main]: failed to open stream:

the '.' is missing

so I put it in and tried to call a page that does not exist and I got this error

Warning: main(jetlag2.php) [function.main]: failed to open stream:

and yes the extension I use is .php not .inc

Thanks

Posted: Sun Oct 07, 2007 3:55 pm
by Zoxive
glav wrote:Zoxive, I tried that and got the error.

Warning: main(jetlagphp) [function.main]: failed to open stream:

the '.' is missing

so I put it in and tried to call a page that does not exist and I got this error

Warning: main(jetlag2.php) [function.main]: failed to open stream:

and yes the extension I use is .php not .inc

Thanks
Well, you need to do more Checking.

Right now it is only seeing if the Variable $_GET['a'] exists, and then it tries and includes.

Code: Select all

$Ext = '.php';
// I would like to note again..
// $_GET['a'] Also Should be Filtered/Escaped/Checked
if(!empty($_GET['a']) && file_exists($_GET['a'] . $Ext){
  include($_GET['a'] . $Ext);
}else{
  include('main.inc');
}
If i go to your site, i could easily put sitename.com/index.php?a=../../anyfileiwant

Posted: Sun Oct 07, 2007 4:19 pm
by glav
Zoxive, first of all the '.' was not missing, it was my mistake.

When I try the new piece of code you wrote it only loads the main.php page even if the value for a exist.

Thanks for the help.

Posted: Sun Oct 07, 2007 4:23 pm
by feyd
Have you read the thread I referred to in the first response?

Posted: Sun Oct 07, 2007 4:26 pm
by glav
feyd, i'm readin it at the moment.

Ok I’ve finished reading that, some snaky posts there, lots of fun.

Did it help, yes a little but I'll have to read a little more before I understand everything that was mentioned.


Thanks

Posted: Sun Oct 07, 2007 6:45 pm
by glav
OK Zoxive & feyd, I figured out why this was not working for me. I am using this on a new site that is based around a premade app that I wanted to use. When I tried your script Zoxive it did the same thing my own version did and when I tried on a site with out the premade app it worked fine. The reason was becasue I had to put the location in the file_exists function like this:

Code: Select all

$Ext = '.php'; 
// I would like to note again.. 
// $_GET['a'] Also Should be Filtered/Escaped/Checked 
if(!empty($_GET['a']) && file_exists("template/hhi/"$_GET['a'] . $Ext){ 
  include($_GET['a'] . $Ext); 
}else{ 
  include('main.inc'); 
}
This was because the index.php file was in wwwroot/or/ and the value's for $a where in wwwroot/or/template/hhi/

What I need to figure out is how to load the premade app into the wwwroot/ dir and load the $a values from there also.

Thanks for the help.

Posted: Sun Oct 07, 2007 6:48 pm
by Zoxive
I have yet acquired the ability to read minds. And know exactly how your structure of your website is to give you exact code.

On a serious note, we are here to help you learn, give advice and point you in the right direction. So when you get code examples here (IF you do, i was feeling generous today) most of the time you still need to tweak them to your apps.

Posted: Mon Oct 08, 2007 5:39 am
by glav
Even though I have read the thread feyd forwarded me to Im still a little confused about what steps I should use to secure the include method.

I need to make sure that the files are in a certain folders only and that a hacker can not enter in index.php?a=../../../somefile

Would this be enough or am i prone to an easy attack still.

Thanks

Posted: Mon Oct 08, 2007 11:50 am
by RobertGonzalez
Read that thread carefully. There are a lot of security topics covered in there, all of which you should use when allowing dynamic includes from user input.

Posted: Mon Oct 08, 2007 2:46 pm
by mrkite
even worse, make sure a hacker can't say index.php?a=http://myevilsite.com/blah.txt

because php will download blah.txt and execute the php code in it as if it were running locally.

I find it easiest to just do:

Code: Select all

$_GET['a']=preg_replace('|/|','',$_GET['a']);
Which should prevent people from passing paths or urls to your include statement.

Posted: Mon Oct 08, 2007 3:08 pm
by RobertGonzalez
The safest way would be to not allow users to tell your application which page to include directly.

Posted: Mon Oct 08, 2007 3:09 pm
by s.dot
A much more elegant solution would use file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.