with that you can also use readdir and put all the files in the array so that you can easily add files you would like users to have access to into the directory read. (strip `.` and `..` out too as they allow the user to go one directory up)matthijs wrote:About the includes. What about using a whitelist approach:This is from http://www.digital-web.com/articles/easypeasy_php_2/Code: Select all
// Define our array of allowed $_GET values $pass = array('intro','bluetruck','redhouse','brownbear'); // If the page is allowed, include it: if (in_array($_GET['id'], $pass)) { include ($_SERVER['DOCUMENT_ROOT'] . '/inc/' . $_GET['id'] . '.php'); } // If there is no $_GET['id'] defined, then serve the homepage: elseif (!isset($_GET['id'])) { include ($_SERVER['DOCUMENT_ROOT'] . '/inc/intro.php'); } // If the page is not allowed, send them to an error page: else { // This send the 404 header header("HTTP/1.0 404 Not Found"); // This includes the error page include ($_SERVER['DOCUMENT_ROOT'] . '/inc/error.php'); }
Help me I'm sinking!
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
matthijs' code looks a lot like a Front Controller. Using a Front Controller is a very common solution with a bunch of benefits -- especially eliminating duplicate code. I saw a poll a while back of a group of more advanced PHP programmers and around 2/3 of them were using a Front Controller.
I posted a simple example here that shows the basics:
viewtopic.php?t=43935&postdays=0&postorder=asc&start=14
You would need to go OOP in you include files to make them into action classes. For example bluetruck.php would contain:
I posted a simple example here that shows the basics:
viewtopic.php?t=43935&postdays=0&postorder=asc&start=14
You would need to go OOP in you include files to make them into action classes. For example bluetruck.php would contain:
Code: Select all
class bluetruck {
function execute() {
// code goes here
}
}(#10850)
Another question is if it is a Linux/Unix server or running on Windows. The windows server 'loopholes' are frequently explored by hackers. So if it is on a windows machine the chance of a server problem is higher. If it is a Linux/unix machine a script code problem is much more likely.
Of course that is only a statement done by the precentages of hacks on those machines.
Of course that is only a statement done by the precentages of hacks on those machines.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
-
JoeLucky39
- Forum Newbie
- Posts: 8
- Joined: Fri Feb 17, 2006 8:28 am
- Location: Florida
Exactly how
Checking through the logs I was able to find that someone accessed my site with the cont variable set to Http://1nf3ct0r.nm.ru/hac/cmd.php
So thanks everyone. That is exactly what happened. I have to guard my url variables.
Thanks to everyone with your help on this. I really appreciate it.
Joe
So thanks everyone. That is exactly what happened. I have to guard my url variables.
Thanks to everyone with your help on this. I really appreciate it.
Joe
Perhaps you should tell your host if you have not already. Loading includes via http is perhaps something they should disable on a shared host. I can't think of many legitimate uses for it.
http://uk.php.net/manual/en/ref.filesys ... -url-fopen
Unfortunately it looks like turning it off effects all the fopen functions that can read from http. Not the best design IMO.
http://uk.php.net/manual/en/ref.filesys ... -url-fopen
Unfortunately it looks like turning it off effects all the fopen functions that can read from http. Not the best design IMO.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland