Secure Enough?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
riley
Forum Commoner
Posts: 45
Joined: Thu May 02, 2002 6:31 pm

Secure Enough?

Post by riley »

If I have a template that uses an URL like

http//../template.php?page=newpage.php

is checking to ensure the file exist secure enough to stop harmful hacking to the server?

Code: Select all

if ( !IsSet( $_GETї'page'] ) )$page = 'home.php';

if ( file_exists( $page ) ) {

webstuff here

} else {

echo "NOT Allowed";
}
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what about
http//../template.php?page=.htpasswd
or
http//../template.php?page=.%2Fsecret%2Fcert.key
?
User avatar
riley
Forum Commoner
Posts: 45
Joined: Thu May 02, 2002 6:31 pm

Post by riley »

Well I don't know!

I did try the two examples and nothing was returned to the browser. What should I have expected?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

those were only examples
without further checks the user might get any file the script has access to.
The second evaluates to ./secret/cert.key, I doubt you would be too happy if the user sees that files if it exists ;)
[]InTeR[]
Forum Regular
Posts: 416
Joined: Thu Apr 24, 2003 6:51 am
Location: The Netherlands

Post by []InTeR[] »

To keep this from happening i:
- allwase ad a exstension.
- and don't allow slashes, backslashes and dots.
Post Reply