Search
Left Quote    Wise men speak because they have something to say; Fools because they have to say something.
- Plato (427-347 B.C.)    
Right Quote
 
[login] | [Register]
Forum Index » PHP and mySQL » Viewing Topic and Replies
Post Reply


        Viewing Topic: Secure Include HELP Quick
  This user is offline  sjotto
  Subject: "Secure Include HELP Quick" Posted: @ 11:47 am on Jun 15 2008   
Member #: 649
Rank: User - (5)
Since: 03/30/08
Posts: 5

Hello php friends :)

I'am creating a website for myself just to learn a bit more desiging html and php, java.

And I have a include code to get the pages.
Like links will be this. page.php?get=ho me


Code:
if(isset($_GET ["p"] )) {
if(stristr($_GE T["p" ], "/") || stristr($_GET[& quot;p"], ".")) {
print ""; } else {
if(is_file($_GE T["p" ].".php&qu ot;)) {
include($_GET[& quot;p"].& quot;.php" );
} else {
print "Page not found!"; }
}
} else {
include("p age.php");
}



And I know this is a veru unsecure code, do you have something very secure like this.

Sry my english, I am norwegian


    Viewed: 4,982 Times | Reply to This | To top
  This user is offline  bs0d
  Subject: "re: Secure Include HELP Quick" Posted: @ 6:15 pm on Jun 15 2008    

Member #: 1
Rank: Admin. - (1,505)
Since: 02/06/05
Posts: 600
From: USA

sjotto,

Right now I'm not sure what the best answer is for your question. The reason your code would be insecure is because the processes depend on information that is passed along in the URL via the $_GET method, which can be modified by anyone making the request.

Your best way for protection is to validate the variables. Check if they are the format you expect, maybe even length. Think of every reason to fail the variable, and code it that way. The only way it will pass through is if it meet's all of your criteria.

Beyond that, depending on who will be accessing the pages, having a members system can help. You can make the pages "member' s only" which adds a level of security. However, session's can be stolen and hijacked.

If an Apache server, you could protect the directory with .htaccess, requiring a username and password before the page loads.

You could require a CAPTCHA before displaying or processing content to assist in filtering out the spam bots.

I believe 100% security is unattainable. Especially in the computer world, there's always someone that will get 'in' the places that were thought to be the most secured. Expect the worse and hope for the best. Be sure to backup your data in case if anything were to ever happen.

Those are my thoughts. If anyone else has any knowledge to add, feel free to comment. Thanks and good luck sjotto.




-bs0d | AllSyntax.com

    Viewed: 4,968 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: Secure Include HELP Quick" Posted: @ 1:32 pm on Jun 16 2008    

Member #: 5
Rank: User - (213)
Since: 02/11/05
Posts: 148
From: chair

if you want to use one php script to include all of your other pages (i




please note that the above post is likely made up in its entirety.

    Viewed: 4,960 Times | Reply to This | To top
  This user is offline  David1159
  Subject: "re: Secure Include HELP Quick" Posted: @ 4:51 am on Jun 17 2008    

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

I would not do it that way sjotto. Lets say you have a page where only you can access, such as admin.php. What stops a user from typing in the address bar http://www.site .com/index.php? get=admin

Putting $_GET inside includes you can have problems if you don't do it right. You can hack that by setting your include to a outside site. Quick example of what I mean. http://www.site .com/index.php? get=http://www. hacksite.com/pa ge

I'd also recommend you filter the $_GET variables.

On my site I only allow my $_GET to be numbers, if someone plays around with the url I die(); them and their IP is recorded on my list, 5 errors a day the system blocks the IP for 24 hours.




Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.

    Viewed: 4,949 Times | Reply to This | To top
Viewing Page: 1 of 1


1 |

You must be logged in to post on the forums. Login or Register








"AllSyntax.com" Copyright © 2002-2018; All rights lefted, all lefts righted.
Privacy Policy  |  Internet Rank