Left Quote    Nearly all men can stand adversity, but if you want to test a man's character, give him power.
- Abraham Lincoln    
Right Quote
[login] | [Register]
Forum Index » PHP and mySQL » Viewing Topic and Replies
Post Reply

        Viewing Topic: Secure Include HELP Quick
  This user is offline  sjotto
  Subject: "Secure Include HELP Quick" Posted: @ 11:47 am on Jun 15 2008   
Member #: 649
Rank: user - (5)
Since: 03/30/08
Posts: 5

Hello php friends :)

I'am creating a website for myself just to learn a bit more desiging html and php, java.

And I have a include code to get the pages.
Like links will be this. page.php?get=ho me

if(isset($_GET ["p"] )) {
if(stristr($_GE T["p" ], "/") || stristr($_GET[& quot;p"], ".")) {
print ""; } else {
if(is_file($_GE T["p" ].".php&qu ot;)) {
include($_GET[& quot;p"].& quot;.php" );
} else {
print "Page not found!"; }
} else {
include("p age.php");

And I know this is a veru unsecure code, do you have something very secure like this.

Sry my english, I am norwegian

    Viewed: 7,717 Times | Reply to This | To top
  This user is offline  bs0d
  Subject: "re: Secure Include HELP Quick" Posted: @ 6:15 pm on Jun 15 2008    

Member #: 1
Rank: Admin. - (1,510)
Since: 02/06/05
Posts: 604
From: USA


Right now I'm not sure what the best answer is for your question. The reason your code would be insecure is because the processes depend on information that is passed along in the URL via the $_GET method, which can be modified by anyone making the request.

Your best way for protection is to validate the variables. Check if they are the format you expect, maybe even length. Think of every reason to fail the variable, and code it that way. The only way it will pass through is if it meet's all of your criteria.

Beyond that, depending on who will be accessing the pages, having a members system can help. You can make the pages "member' s only" which adds a level of security. However, session's can be stolen and hijacked.

If an Apache server, you could protect the directory with .htaccess, requiring a username and password before the page loads.

You could require a CAPTCHA before displaying or processing content to assist in filtering out the spam bots.

I believe 100% security is unattainable. Especially in the computer world, there's always someone that will get 'in' the places that were thought to be the most secured. Expect the worse and hope for the best. Be sure to backup your data in case if anything were to ever happen.

Those are my thoughts. If anyone else has any knowledge to add, feel free to comment. Thanks and good luck sjotto.

-bs0d |

    Viewed: 7,703 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: Secure Include HELP Quick" Posted: @ 1:32 pm on Jun 16 2008    

Member #: 5
Rank: Contributor - (214)
Since: 02/11/05
Posts: 149
From: chair

if you want to use one php script to include all of your other pages (i

please note that the above post is likely made up in its entirety.

    Viewed: 7,695 Times | Reply to This | To top
  This user is offline  David1159
  Subject: "re: Secure Include HELP Quick" Posted: @ 4:51 am on Jun 17 2008    

Member #: 526
Rank: user - (81)
Since: 12/27/07
Posts: 81
From: usa

I would not do it that way sjotto. Lets say you have a page where only you can access, such as admin.php. What stops a user from typing in the address bar .com/index.php? get=admin

Putting $_GET inside includes you can have problems if you don't do it right. You can hack that by setting your include to a outside site. Quick example of what I mean. .com/index.php? get=http://www. ge

I'd also recommend you filter the $_GET variables.

On my site I only allow my $_GET to be numbers, if someone plays around with the url I die(); them and their IP is recorded on my list, 5 errors a day the system blocks the IP for 24 hours.

Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.

    Viewed: 7,684 Times | Reply to This | To top
Viewing Page: 1 of 1

1 |

You must be logged in to post on the forums. Login or Register

"" Copyright © 2002-2021; All rights lefted, all lefts righted.
Privacy Policy