main.php?page= error ( 5 Views )

no kitty!
  1. Hi

    Ive just started using php, and so have installed apache and php onto my computer.

    Ive just written a script and 2 html pages, very simple ( ) that quickly say:

    index.html

    <html>
    <a href=main.php?page=home.html>link to php</a>
    </html>

    home.html

    <html>
    home
    </html>

    main.php

    <?
    include ("$page");
    ?>

    -------------------------------------

    Now when i link to index.html all is fine and i can click on the link to main.php?page=home.html, but when it comes to load this page i get this message instead of the simple "home" i want so much to appear on my screen!

    Warning: main(): Failed opening '' for inclusion (include_path='.;c:\php4\pear') in c:\phptest\main.php on line 2

    Can anyone see whats going on here? because i cant seem to get this to work!

    Thanks a lot

    Andy Burton

    (ozan, Pakistan)

  2. Well I think I'm ok, I've filtered the name of the page being included so there's not "main.php?page=http://evilwebsite.com/hack.php" and all my scripts will just spit out errors if you manually type in the url when you shouldn't have.

    (ebru, Greece)

  3. Quote:
    Originally Posted by shad0w
    Wouldn't everyone have access to all the pages by typing in the url manually anyway? So there's really no way to keep people from running/viewing a file.
    I think the best way to answer this is to suggest you do a search on some of the threads that have covered building secure sites, etc.

    You'd need to use a mix of hard-to-guess filenames, protected include directories, CHMOD and input validation just to name a few options; but you really only need to worry about this stuff at certain points where it matters, which you'd need to determine by analyzing your site design. If it won't break your program (site) and you don't care if they include files manually then don't worry about it. But if you have sensitive data, or visitors could include a file meant to be stand-alone or that includes sql stuffs then you may have a security concern there. See what I mean? You've just got to be smart about how you build things.

    ( hakan canım benim , Chad)

  4. Yeah, but all the files have some kind of functionality and most to all will be included into another page so they would have to be readable.

    (Halil, Kenya)

  5. lol. CHMOD?

    (murat, Niue)

  6. Wouldn't everyone have access to all the pages by typing in the url manually anyway? So there's really no way to keep people from running/viewing a file.

    (ufuk , Mauritania)

  7. [php]
    <?php
    $goodPages = array( 'home', 'error', 'contact');

    if( in_array( $_GET['page'], $goodPages)) {
    include( $_GET['page'].".html" );
    }
    else {
    echo 'Invalid request.';
    }
    ?>
    [/php/

    right i get that, but i dont understand what shadow means by:

    PHP Code:
    Does anyone know how to make it completely secure without out using a switch conditional?
    thanks guys ;)

    Andy Burton

    (kızlar yeter artık, Sudan)

  8. It may be somewhat safer (and easier to maintain too) if you specify a list of filenames that you'd allow access to:
    PHP Code:
    <?php
    $goodPages     = array( 'home', 'error', 'contact');

    if(     in_array( $_GET['page'], $goodPages)) {
      include(     $_GET['page'].".html");
    }
    else {
      echo     'Invalid request.';
    }
    ?>

    (BAHADIR, Holy See (Vatican City State))

  9. Well, obfuscating the code by using a variable other than "page" would be a start, but it's still not very secure. There are better methods, but I'm not near my references, so I'm not as helpful as I would like to be...

    (korhan, Norway)

  10. It's better, but I'd strip out any nasty characters aswell. Does anyone know how to make it completely secure without out using a switch conditional?

    (ömer, Tokelau)

  11. right so this would be better?

    PHP Code:
    <?php

    if ($_GET['page'] == "home") {
    include     $_GET['page'].".html";
    } else {
    echo     "no file found";
    }

    ?>
    and have a link to this with page=home in it instead?

    thanks :)

    (berna, Egypt)

  12. Quote:
    Originally Posted by sonic_2k_uk
    So how does the $_GET['page']; make it so that you cant open any files that could be potentially dangerous?
    it is not $_GET, that's making potential problem, but the fact you're allowing anyone to include every single file on your server from main.php file by passing it's name as param...

    stay good

    (Yusa, Lebanon)

  13. lol.. what took you about 10seconds took me an hour :| im so glad i already know AS to make up for the fact im crap at php lol.. thanks a lot, and yeh i had no idea about that.. lucky that im on a secure computer not hosting my own servers hey?! :)

    So how does the $_GET['page']; make it so that you cant open any files that could be potentially dangerous?

    Thanks a lot for your help.

    Andy Burton

    (damla, Ukraine)

  14. PHP Code:
    <?php
    include $_GET['page'];
    ?>
    Just a warning thought, what you're doing is extremely dangerous. I could include every file in your account, like some password files.

    (doğancan, Iceland)

  15. That's a pretty good example of input validation. I think that covers all the bases for this particular "security concern". So you just examine them as they come up, and once you're accustomed to the various places to worry about it you'll be designing and coding with it in mind from the first.

    (bekir, Pitcairn)



Related Topics ... (or search in 1.720.883 topics !)

runtime error on main page (13)
php main page (3)
main index page as php (8)
main index page in php (7)
main.php?page=blah (11)
links like main.php?page=register (6)
main.php?page=blah part 2 (40)
client receives "download file?" error when accessing main index page. (2)
difference in linking to main domain or main page? (8)




copyright © 2007-2031 Pfodere.COM ( 8 Pfoyihuee Online )

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 
0.5989