PHP error or just my error

PHP error or just my error

Posted by: matta
Posted on: 2009-05-31 13:38:00

<?php
if (isset($_GET['page']) && file_exists("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php")) {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
} else {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/sorry.php");
}
?>

Either I'm forgetting a line or just completely forgetting something. index.php is my main page and I was wanting some welcoming text. Well of course when they click a link it will point to the file and pull it up, but say the file don't exists than it will pop up the sorry.php page. Hope I made it clear enough

Matta

EDIT: Easier way...I had it as home.php, but I didn't want someone clicking a link when it was bad and taking them back home. I rather have a page explaining either the page didn't exist or something else was wrong.Edited by matta on 05/31/09 01:44 PM (server time).

Re: PHP error or just my error

Posted by: sXi
Posted on: 2009-05-31 17:04:00

Remove the {braces} from the path arguments.




How To Install PHP.INI / ionCube on DreamHost

Re: PHP error or just my error

Posted by: matta
Posted on: 2009-05-31 17:31:00

what will that do?

Matta

Re: PHP error or just my error

Posted by: Atropos7
Posted on: 2009-05-31 18:57:00

In reply to:

<?php
if (isset($_GET['page']) && file_exists("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php")) {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
} else {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/sorry.php");
}
?>

I don't think using code like that is a good idea. Tell me what you think will happen if one visits the URL index.php?page=../index ? Or index.php?page=../secrets/passwords.txt ?

When using input that is linked to using a system resource, it is best to compare the input to a known list of acceptable values otherwise if you aren't careful you will introduce a vulnerability that can be exploited.

You probably need me to point this out. One thing you can do is retrieve a list of all the PHP scripts in the includes directory first, and check to see if the input is in the list. Or you can just hardcode a list into the script (which would be better). Or you can learn more about file pathname operations and figure out how to make sure the file you are opening is in a particular directory.


cool openvein.org -//-

Re: PHP error or just my error

Posted by: matta
Posted on: 2009-05-31 19:02:00

I'm not quite following you. Someone posted that a while back to use to keep people from trying to get somewhere else when they aren't suppose to.

So what do you suggest than?

Matta

Re: PHP error or just my error

Posted by: Atropos7
Posted on: 2009-05-31 20:04:00

In reply to:

I'm not quite following you. Someone posted that a while back to use to keep people from trying to get somewhere else when they aren't suppose to.


And it is flawed.

For example visit this URL:

http://www.mattaproductions.com/includes/../images/banner.jpg

Now you didn't put banner.jpg in the includes directory did you? Click on that link then see what the browser does to the URL.

But this "trick" isn't really a trick, every developer should know not only why it works but also how it affects the security of their applications and computer systems. This doesn't just happen with URLs, it happens with paths in using files and directories.


cool openvein.org -//-

Re: PHP error or just my error

Posted by: matta
Posted on: 2009-05-31 20:16:00

Nice. So what are you suggesting than? Do I need to change the php script? If I do than to what since I thought someone was helping me out. It should be posted somewhere around here on the forums.

What can I do to prevent that an improve security?

Thanks very much though

Matta

Re: PHP error or just my error

Posted by: pangea33
Posted on: 2009-06-02 20:44:00

I will withhold most of my commentary on the risks of executing any file that is passed as a url argument, but I'll say a couple things. I agree that it is indeed risky, and I would suggest implementing a switch statement so that only certain files can be executed based on predetermined values that you decide are permissible.

If you have so many files that this is not feasible, perhaps you should step back and reconsider what you're trying to accomplish. It would seem to me that you'd be duplicating a lot of repetitive code like header and footer files.

With that out of the way I'll go on to say that what you're describing seems to me like a simple 404 page. You want to show a certain page when the requested document is unavailable. This is easily accomplished by putting a couple things in a .htaccess file. You could try something like this:

******
<Files .htaccess>
order allow,deny
deny from all
</Files>

ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 403 /error.php
ErrorDocument 404 /sorry.php
ErrorDocument 500 /error.php
******