I had first tried a less active PHP group, but let me try here.
I searched for this, but didn't find anything that appeared related.
Possibly I didn't know what to search for.
I am designing a web application using PHP, to which I am relatively
new. I have seen some sites use the model whereby a single index page
is created that handles authentication and receives option parameters
telling the index what to load in the body of the page. For example,
one could pass $page=AccountIn dex.php to tell the index to include the
account index page using:
require_once $page;
And the link to get there would look like:
<a href="<?=$_SERV ER['PHP_SELF']?>?page=Account Index.php">Acco unt
Index</a>
Alternatively, the link could actually refer to a different page
(e.g., <a href="./AccountIndex.ph p">Account Index</a>) and that could
be loaded using its own authentication and receive its own parameters.
I hope this is sufficiently clear.
The questions are:
Can anyone provide opinions on advantages/disadvantages to each of
these models?
Can anyone provide the correct terminology to discuss these ideas so
that I can look for more, relevant resources.
Thank you,
Mike 13 2025
Hi Mike I am designing a web application using PHP, to which I am relatively new. I have seen some sites use the model whereby a single index page is created that handles authentication and receives option parameters telling the index what to load in the body of the page. For example, one could pass $page=AccountIn dex.php to tell the index to include the account index page using: require_once $page;
And the link to get there would look like: <a href="<?=$_SERV ER['PHP_SELF']?>?page=Account Index.php">Acco unt Index</a>
What happens, if someone types into his browser: http://www.example.com/index.php?pag.../../etc/passwd ? He'll get all
users on your system, and if the passwords are not shadowed, he gets these
too. This will work with every file on your system, so desist using this
method without any further checkings.
I prefer the method of serializing my pages with a number, the nuber being
the primary key of my pages in a database. Of course this works also without
any database, just do the work with a 'case statement' or so...
Greetings, Greg
"Mike Sutton" <su*******@yaho o.com> wrote in message
news:7e******** *************** ***@posting.goo gle.com... The questions are: Can anyone provide opinions on advantages/disadvantages to each of these models? Can anyone provide the correct terminology to discuss these ideas so that I can look for more, relevant resources.
I was just talking about this in another thread. DON'T USE THE SINGLE ENTRY
POINT ARCHITECTURE! It offers no advantages at all, while its disadvantages
are numerous. First and foremost, this architecture is one of the leading
causes of security breach in PHP site. By setting $page to an Internet
address ( http://www.example.net/page=http://1...3.34/hack.txt), I can
run arbitrary code on your server. And I can bypass your authentication
scheme by simply typing in the address to the file that you're including
( http://www.example.net/AccountIndex.php).
People who use this kind of scheme, I dare say, don't have a strong
programming background. Those who have programmed in C/C++ or other
procedural languages know that you include a file to make additional
functionalities available, not to cause something to occur. Think about it,
when you use require() you're just stating the file is needed by the current
script.
The proper way to share code between script is to enclose it in functions,
keep these in an separate file, include it where it's needed, then call the
functions. Or for the sake of convinence, just include it in every script.
Here's an example setup: We have a file call global.php that's included into
every script. This file in turn, includes files with commonly used
functions.
global.php:
<?
require("../inc/auth.php");
require("../inc/interface.php") ;
require("../inc/db.php");
....
//error_reporting (E_ALL);
define(DEBUG, false);
?>
accountIndex.ph p:
<?
require("global .php");
RestrictAccess( );
PrintHeader("Ac counting");
PrintFooter();
?>
inc/auth.php
<?
function RestrictAccess( $level = 5) {
if(empty($_SESS ION["logged_$le vel"])) {
Redirect("login .php?level=$lev el");
}
}
?>
In this system, it's easy to have pages that require the user to log in and
others that do not. If you don't call RestrictAccess( ) then there's no
restriction. And it's easy to implement multi-level security. Just pass a
value to the function instead of employing the default if the page needs
extra security.
Gregor Favre wrote: Hi Mike
I am designing a web application using PHP, to which I am relatively new. I have seen some sites use the model whereby a single index page is created that handles authentication and receives option parameters telling the index what to load in the body of the page. For example, one could pass $page=AccountIn dex.php to tell the index to include the account index page using: require_onc e $page;
And the link to get there would look like: <a href="<?=$_SERV ER['PHP_SELF']?>?page=Account Index.php">Acco unt Index</a>
What happens, if someone types into his browser: http://www.example.com/index.php?pag.../../etc/passwd ? He'll get all users on your system, and if the passwords are not shadowed, he gets these too. This will work with every file on your system, so desist using this method without any further checkings.
I prefer the method of serializing my pages with a number, the nuber being the primary key of my pages in a database. Of course this works also without any database, just do the work with a 'case statement' or so...
Greetings, Greg
I agree with you Greg.. unless of course you are using OpenVMS
(DEC/Alpha RISC CPU), then you can try, but you won't get very far... :)
Michael Austin.
> What happens, if someone types into his browser: http://www.example.com/index.php?pag.../../etc/passwd ?
I hadn't addressed input validation as part of my question, but if a
user entered the string you proposed it would fail validation and they
would get a denied message.
Any other thoughts?
"Chung Leong" <ch***********@ hotmail.com> wrote in message
news:S7******** ************@co mcast.com... "Mike Sutton" <su*******@yaho o.com> wrote in message news:7e******** *************** ***@posting.goo gle.com... The questions are: Can anyone provide opinions on advantages/disadvantages to each of these models? Can anyone provide the correct terminology to discuss these ideas so that I can look for more, relevant resources. I was just talking about this in another thread. DON'T USE THE SINGLE
ENTRY POINT ARCHITECTURE! It offers no advantages at all, while its
disadvantages are numerous. First and foremost, this architecture is one of the leading causes of security breach in PHP site. By setting $page to an Internet address (http://www.example.net/page=http://1...3.34/hack.txt), I can run arbitrary code on your server. And I can bypass your authentication scheme by simply typing in the address to the file that you're including (http://www.example.net/AccountIndex.php).
People who use this kind of scheme, I dare say, don't have a strong programming background. Those who have programmed in C/C++ or other procedural languages know that you include a file to make additional functionalities available, not to cause something to occur. Think about
it, when you use require() you're just stating the file is needed by the
current script.
The proper way to share code between script is to enclose it in functions, keep these in an separate file, include it where it's needed, then call
the functions. Or for the sake of convinence, just include it in every
script.
A single entry point architecture is sometimes known as a Front Controller
as every request goes through a single page. I much prefer having a separate
URL for each page as it gives me all the control I need without any of the
security problems. Take a look at http://www.tonymarston.net/php-mysql...plication.html for a
description of a sample application which you can run online. There is also
a link to download all the code.
HTH.
--
Tony Marston http://www.tonymarston.net
"Mike Sutton" <su*******@yaho o.com> wrote in message
news:7e******** *************** ***@posting.goo gle.com... What happens, if someone types into his browser: http://www.example.com/index.php?pag.../../etc/passwd ?
I hadn't addressed input validation as part of my question, but if a user entered the string you proposed it would fail validation and they would get a denied message.
Only if you are smart enough to validate the entry. I've seen plenty of
sites that haven't been protected ;)
Most php programs follow the same pattern
authentication
validation of input
processing of data
display of output
The single point of entry system allows you to contain the first and last
elements in a single script, and only include the elements for data process
where needed. This should in theory provide a lower overhead in memory and
CPU cycles as you are only loading the programming libraries your script is
using.
In message <cb**********@s lavica.ukpost.c om>, CJ Llewellyn
<sa****@tmslife line.com> writes "Mike Sutton" <su*******@yaho o.com> wrote in message news:7e******* *************** ****@posting.go ogle.com... > What happens, if someone types into his browser: > http://www.example.com/index.php?pag.../../etc/passwd ? I hadn't addressed input validation as part of my question, but if a user entered the string you proposed it would fail validation and they would get a denied message.
Only if you are smart enough to validate the entry. I've seen plenty of sites that haven't been protected ;)
Yes.... Most php programs follow the same pattern
authenticati on validation of input processing of data display of output
So do lots of non-PHP programs in various ways. The single point of entry system allows you to contain the first and last elements in a single script, and only include the elements for data process where needed. This should in theory provide a lower overhead in memory and CPU cycles as you are only loading the programming libraries your script is using.
--
Five Cats
Email to: cats_spam at uk2 dot net
Regarding this well-known quote, often attributed to Five Cats's famous
"Sat, 26 Jun 2004 21:11:47 +0100" speech: In message <cb**********@s lavica.ukpost.c om>, CJ Llewellyn <sa****@tmslife line.com> writes"Mike Sutton" <su*******@yaho o.com> wrote in message news:7e****** *************** *****@posting.g oogle.com... > What happens, if someone types into his browser: > http://www.example.com/index.php?pag.../../etc/passwd ?
I hadn't addressed input validation as part of my question, but if a user entered the string you proposed it would fail validation and they would get a denied message.
Only if you are smart enough to validate the entry. I've seen plenty of sites that haven't been protected ;)
Yes....
Most php programs follow the same pattern
authenticatio n validation of input processing of data display of output
So do lots of non-PHP programs in various ways.
The single point of entry system allows you to contain the first and last elements in a single script, and only include the elements for data process where needed. This should in theory provide a lower overhead in memory and CPU cycles as you are only loading the programming libraries your script is using.
You'd get the same benefits, with more security, using common
header/footer/wrapper includes, though, wouldn't you?
--
-- Rudy Fleminger
-- sp@mmers.and.ev il.ones.will.bo w-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
"Chung Leong" <ch***********@ hotmail.com> wrote in message news:<S7******* *************@c omcast.com>... [Y]ou include a file to make additional functionalities available, not to cause something to occur.
An excellent point, and one I hadn't considered despite the fact that
I would not do the same thing in other development environments.
Thank you. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: gigal |
last post by:
Currently, the class is defined as,
Class CarClass
{
EngineClass e;
SeatClass s;
CDPlayerClass cd;
....
};
|
by: Don Vaillancourt |
last post by:
Hello all,
Over the years as I design more database schemas the more I come up with
patterns in database design. The more patterns I recognize the more I
want to try to design some kind of generic design patterns that can be
used and shared amongst many sub-schemas.
For example, the grouping of entities. I may have the following tables:
employee, product and client. These tables have no direct relationship
with each other. But...
|
by: Terry Hancock |
last post by:
Newcomers to Blender (3D modelling/animation program)
often find its fairly unique UI a bit off-putting,
but on closer inspection, I find it's a very compelling
design for "power users" (i.e. professionals who need to
use a given program on a daily basis, and who are therefore
willing to make the effort to learn the specific interface).
It is much better than either a command line interface
or a more conventional GUI, for that purpose,...
|
by: __PPS__ |
last post by:
Hello everybody, that's already not a quiz question from school :)
I wanted to design simple stuff that would allow me to program cgi
programs with cpp. My goal is to make reading input from user much like
traditional cpp programming with iostreams:
cout << "Enter date of birth and name: ";
cin >> dob >> name;
....
|
by: Saso Zagoranski |
last post by:
hi,
this is not actually a C# problem but since this is the only newsgroup I
follow I decided
to post my question here (please tell me where to post this next time if you
think this post shouldn't be here).
I have two design questions:
1. what is the correct (or best) way to include database queries into the
code if you plan on
| |
by: Peter M. |
last post by:
Hi all,
I'm currently designing an n-tier application and have some doubts about my
design.
I have created a Data Access layer which connects to the database (SQL
Server) and performs Select, update, delete and inserts. I use dataset
objects to pass data to and from the DAL.
In my GUI (windows forms), I use databinding to bind controls to a datatable
|
by: Griff |
last post by:
Hi
I'm not sure of the best way to go about achieving my goal and would
appreciate any advice.
What I would like to do is to generate a control that can be dropped onto a
web page. For example, a control that provided catalogue information. As I
envisage this, the control would be given a single argument (the end user
identifier) and it would return the required catalogue information as an
HTML page "fragment".
|
by: yanjie.ma |
last post by:
Hi,
I've got a two part question on table and form design (sorry for the
length but it takes a bit to explain). Our sales department uses a
look-up table to help the them select the best equipment to use for a
customer's needs. It basically consists of a table with the following
setup:
Equipment: Option1: Option2: Option3: Option 4: ...
-------- ------- ------- -------- --------
|
by: YellowFin Announcements |
last post by:
Introduction
Usability and relevance have been identified as the major factors
preventing mass adoption of
Business Intelligence applications. What we have today are traditional
BI tools that don't work
nearly as well as they should, even for analysts and power users. The
reason they haven't
reached the masses is because most of the tools are so difficult to use
and reveal so little
|
by: Brad Pears |
last post by:
Here is a simple OO design question...
I have a Contract class. The user can either save an existing contract or
they start off fresh with a blank contract, fill in the data and then save a
"new" contract.
I have a method in my contract class called "Save" which is called like
this...
dim oContract as new Contract
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |