PHP Developers Network
http://forums.devnetwork.net/

Proper Includes via $_GET
http://forums.devnetwork.net/viewtopic.php?f=34&t=36850
Page 1 of 4

Author:  nthitz [ Fri Aug 12, 2005 5:25 pm ]
Post subject:  Proper Includes via $_GET

Alright for templating systems that use an index to display multiple pages via $_GET['page'] or what not we've all learned not to do just
Syntax: [ Download ] [ Hide ]
include($_GET['page']);

Naturally we'd want some kind of validation to make sure that $_GET['page'] isn't anything deadly. However I began wondering about cross server includes a while back and a huge problem they could cause. Last night I tried it out, I'll give an example of what I did on my server. (domain.com being a different site)
Syntax: [ Download ] [ Hide ]
include('http://www.domain.com/phpbb/config.php');

echo $dbhost.$dbname.$dbuser.$dbpasswd;


I expected the database info for the site but no dice. Is it because I am including a file from a different server? Then why all the problems with the above template system?

Author:  Ambush Commander [ Fri Aug 12, 2005 6:23 pm ]
Post subject: 


Author:  nthitz [ Sat Aug 13, 2005 12:15 am ]
Post subject: 

Wow.
I'm dumb. Thanks for the tip. And no I'm not a n00b. just a stupid question :D

Author:  onion2k [ Sat Aug 13, 2005 3:40 am ]
Post subject: 

In general, unless I'm going to have millions of different include files, I use a switch case:

Syntax: [ Download ] [ Hide ]
switch ($_GET['file']) {

    case "index": include("index.inc.php"); break;

    case "file1": include("file1.inc.php"); break;

    case "file2": include("file2.inc.php"); break;

    case "file3": include("file3.inc.php"); break;

    default: include("index.inc.php"); break;

}


That completely eliminates the possibility of anyone tricking my code into including something I don't want it to.

Author:  theda [ Sat Aug 13, 2005 8:11 am ]
Post subject: 

Onion, a much simpler way would be to use an array wouldn't it?

Syntax: [ Download ] [ Hide ]
$arra = array('file1.php','file2.php','file3.php','file4'.php);

if (in_array($_GET['id'],$arra)) {

   include $_GET['id'];

} else {

   exit;

}


Edit: Deprecate your life -_-; <- For Roja. :P

Author:  Todd_Z [ Sat Aug 13, 2005 9:34 am ]
Post subject: 

How i do it is I have a folder of safe include pages, with subfolders within that.

Syntax: [ Download ] [ Hide ]
if ( !isset( $_GET['p'] ) )

  $_GET['p'] = "Main";

else if ( is_file("/absolutepath/Pages/LoggedIn/{$_GET['p']}.php") ) {

  if ( isset($_SESSION['id']) )

    $_GET['p'] = "/LoggedIn/{$_GET['p']}";

  else {

    errorBox( "You must be logged in to view this page." );

    unset( $_GET['p'] );

  }

} else if ( is_file("/absopath/Pages/Landing/{$_GET['p']}.php") )

  $_GET['p'] = "/Landing/{$_GET['p']}";

else if ( !is_file("/absopath/Pages/{$_GET['p']}.php") )

  $_GET['p'] = "Error";

if ( $_GET['p'] ) include "/absopath/Pages/{$_GET['p']}.php";


Looks a little messy, but it works really well, never had any problems. If the $_GET['p'] page isn't in the folders you specify, it will never get included. Hackers got nothin on me.

Author:  nielsene [ Sat Aug 13, 2005 10:03 am ]
Post subject: 


Author:  Roja [ Sat Aug 13, 2005 10:37 am ]
Post subject: 


Author:  Todd_Z [ Sat Aug 13, 2005 11:17 am ]
Post subject: 


Author:  Roja [ Sat Aug 13, 2005 11:40 am ]
Post subject: 


Author:  Todd_Z [ Sat Aug 13, 2005 11:50 am ]
Post subject: 

explain to me how if I am including "/home/blah/public_html/{$_GET['p']}/" how a hacker could view files above the public_html folder? If you tried to include /home/blah/public_html/../../index.php", you would get an error for file not being found.

Author:  Roja [ Sat Aug 13, 2005 11:53 am ]
Post subject: 


Author:  josh [ Sat Aug 13, 2005 12:21 pm ]
Post subject: 

Having an include folder and doing this:
Syntax: [ Download ] [ Hide ]
include("/direct/path/includes/" . basename($_GET['p']));

would probably be the "easiest" way to do this, I personally never include anything from user input, I opt to store my content in the database.

Author:  nthitz [ Sat Aug 13, 2005 5:51 pm ]
Post subject: 

They way I usually do it is to check for a protocal name in $_GET['page'] So if it has http in it, no dice.

Author:  nielsene [ Sat Aug 13, 2005 8:36 pm ]
Post subject: 


Page 1 of 4 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/