Website Flaw

Forum Moderators: coopster

Message Too Old, No Replies

Website Flaw

DJ_Prem

9:09 am on Sep 4, 2003 (gmt 0)

Hi!

I'm a newbie to PHP and to the forum, i'm using php on my website unfortunetely recently i found a flaw on my site i was looking for ways to patch it and then i was told to use

include("./includes/" . $section ".template.php");

but i'm not aware on how to use that could some one please tell me how i can use these.

ukgimp

9:11 am on Sep 4, 2003 (gmt 0)

Welcome to WebmasterWorld

>>found a flaw on my site i

What is the flaw. Are you unable to include a file or somethng else. Can you be more specific?

Cheers

DJ_Prem

9:26 am on Sep 4, 2003 (gmt 0)

The flaw is the way the site handles the current includes, it can virtually let a user read the whole server.

justageek

10:02 am on Sep 4, 2003 (gmt 0)

Your include is

include("./includes/" . $section ".template.php");

and should probably be

include("./includes/" . $section . "template.php");

DJ_Prem

10:49 am on Sep 4, 2003 (gmt 0)

i see but how would i link a page to load into index.php

DJ_Prem

12:08 pm on Sep 4, 2003 (gmt 0)

I dont understand what you are saying.

In the ROOT i created a folder called INCLUDES, which contains

page1.template.php
page2.template.php
page3.template.php

in the ROOT there is a file called INDEX.PHP which is by default the user see when the enter my website.

So exactly how to i pull page1.template.php into the INDEX.PHP?

justageek

12:12 pm on Sep 4, 2003 (gmt 0)

Ah. Then do this:

include("./includes/" . $section . ".template.php");

DJ_Prem

12:27 pm on Sep 4, 2003 (gmt 0)

Ok so in INDEX.PHP enter

<?PHP
include("./includes/" . $section ".template.php");
?>

so now i have a link in INDEX.PHP to load PAGE2.TEMPLATE.PHP what do i type in the <A HREF="">

justageek

1:35 pm on Sep 4, 2003 (gmt 0)

The href should just be to index.php, I think.

DJ_Prem

1:38 pm on Sep 4, 2003 (gmt 0)

it cant be the link has to point to page1.template.php in the includes folder

justageek

2:10 pm on Sep 4, 2003 (gmt 0)

Correct. Just pass the $section variable on. So something like:

then change your include to something like:

<?PHP
include("./includes/" . $http_get_vars['section']. ".template.php");
?>

DJ_Prem

4:25 pm on Sep 4, 2003 (gmt 0)

Thanks...finally could you please just put this into a bit of a reall like situtation so that i uunderstand it even better

i have created a similiar situtation and zipped it up place it for download @

<snip>
could you please place the code into the page then tell me so that i can give you my e-mail address and so this will really help me.

Thanks to all you have replied you haev been very gratful and polite.

[edited by: jatar_k at 5:15 pm (utc) on Sep. 5, 2003]
[edit reason] no personal urls thanks [/edit]

justageek

4:34 pm on Sep 4, 2003 (gmt 0)

I won't go get it but if you stickymail me the code I'll take a quick look.

DJ_Prem

5:46 pm on Sep 4, 2003 (gmt 0)

the problem is that it's just basic code nothing added and i was hoping that someone could stick the code into it so that i cam look @ this and understand it better.

I can provide you a e-mail to contact me on.

DJ_Prem

6:02 pm on Sep 4, 2003 (gmt 0)

i would be very gratful if you could do this. thank you

Website Flaw

DJ_Prem

ukgimp

DJ_Prem

justageek

DJ_Prem

DJ_Prem

justageek

DJ_Prem

justageek

DJ_Prem

justageek

DJ_Prem

justageek

DJ_Prem

DJ_Prem

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week