Page 2 of 2
Posted: Fri Feb 17, 2006 4:30 pm
by mickd
matthijs wrote:About the includes. What about using a whitelist approach:
Code: Select all
// Define our array of allowed $_GET values
$pass = array('intro','bluetruck','redhouse','brownbear');
// If the page is allowed, include it:
if (in_array($_GET['id'], $pass)) {
include ($_SERVER['DOCUMENT_ROOT'] . '/inc/' . $_GET['id'] . '.php');
}
// If there is no $_GET['id'] defined, then serve the homepage:
elseif (!isset($_GET['id'])) {
include ($_SERVER['DOCUMENT_ROOT'] . '/inc/intro.php');
}
// If the page is not allowed, send them to an error page:
else {
// This send the 404 header
header("HTTP/1.0 404 Not Found");
// This includes the error page
include ($_SERVER['DOCUMENT_ROOT'] . '/inc/error.php');
}
This is from
http://www.digital-web.com/articles/easypeasy_php_2/
with that you can also use
readdir and put all the files in the array so that you can easily add files you would like users to have access to into the directory read. (strip `.` and `..` out too as they allow the user to go one directory up)
Posted: Fri Feb 17, 2006 5:06 pm
by Christopher
matthijs' code looks a lot like a Front Controller. Using a Front Controller is a very common solution with a bunch of benefits -- especially eliminating duplicate code. I saw a poll a while back of a group of more advanced PHP programmers and around 2/3 of them were using a Front Controller.
I posted a simple example here that shows the basics:
viewtopic.php?t=43935&postdays=0&postorder=asc&start=14
You would need to go OOP in you include files to make them into action classes. For example bluetruck.php would contain:
Code: Select all
class bluetruck {
function execute() {
// code goes here
}
}
Posted: Sat Feb 18, 2006 5:26 am
by AGISB
Another question is if it is a Linux/Unix server or running on Windows. The windows server 'loopholes' are frequently explored by hackers. So if it is on a windows machine the chance of a server problem is higher. If it is a Linux/unix machine a script code problem is much more likely.
Of course that is only a statement done by the precentages of hacks on those machines.
Posted: Mon Feb 20, 2006 8:31 am
by Maugrim_The_Reaper
There are servers running Windows? When did that catastrophe tale place?

Exactly how
Posted: Thu Feb 23, 2006 1:35 pm
by JoeLucky39
Checking through the logs I was able to find that someone accessed my site with the cont variable set to
Http://1nf3ct0r.nm.ru/hac/cmd.php
So thanks everyone. That is exactly what happened. I have to guard my url variables.
Thanks to everyone with your help on this. I really appreciate it.
Joe
Posted: Sun Feb 26, 2006 8:37 pm
by d_d
Perhaps you should tell your host if you have not already. Loading includes via http is perhaps something they should disable on a shared host. I can't think of many legitimate uses for it.
http://uk.php.net/manual/en/ref.filesys ... -url-fopen
Unfortunately it looks like turning it off effects all the fopen functions that can read from http. Not the best design IMO.
Posted: Mon Feb 27, 2006 2:56 am
by Maugrim_The_Reaper
Its a variable - just a simple check would have spotted it. I assume that's what JoeLucky will be looking into after the discussion in this topic.