Important: Your site may be hacked!, if you're using index.php?x=page.html Options

[moisie]

switch is really no more secure than if/else since you are only allowing specific values to be included. The danger comes when you allow people to just include any value via the query string. Having said that I do tend to use switch as it's neater imo.

[Sasha]

Do you guys know how to use the switch() function to do site pages?  I could write a tutorial on it, as I am pretty sure it's a secure method.

I think a tutorial would be a great idea, as I'm pretty sure most people won't know how to use it.

[Ferret]

Hmmmm....

My scripts currently work by http://www.domain.com/myscript?page=thing

Then adds .php on the end and includes it.
Now then, how about if I just checked for fullstops in the page variable, if there are any don't include the file.

I can't think of anyway this would not make my site secure to this particular type of attack....

[marciesleo2]

I am new to php and I used the php fanbase into my fanlistings if hackers can get into certains files can't they get into the php fanbase cofig file and download it from your website and access your server through there?

[Cassiopaya]

Uhm well now I'm scared... I'm using the following code on my page...is this secure??

<?php switch($id) {
case "1": include('crucio.php');
break;
case "2": include('imperio.php');
break;
case "3": include('avakedevra.php');
break;
default: include('stupidgit.php');
}
?>

[Sasha]

Cassiopaya: Yes, that's safe, The way that this method is insecure is if you specify the entire file name in the URL (like, file.php), and if you don't do any checking inside the document to make sure only your own files are included.

You could test this out by for example uploading a small .txt file to another domain, maybe with just the words "Test" in it. Then on your site, try index.php?x=http://otherdomain.com/test.txt. If you see the Test words appear on the page, you have a problem. If nothing appears or your normal index appears, it's most likely safe.

[moisie]

The general rule of thumb is to only allow your script to include files from a known safe area and/or only be able to include specified values.

[Karrie]

I've not switched to php yet, but I was wondering if this tutorial is ok to use... http://so-you.net/home/index.php?go=skintut ? I definately don't want any security problems. >,<

[Teki]

This is probably a really stupid question, but is just using the header-footer include script with nothing else safe? I was recently hacked thanks to the script this thread is about, and I'm looking for a way to quickly convert my site. I've got at least 200 pages, so putting them all in one file will not work for sure. ^^;

[Spacemonkey]

Using NLConvert to convert to PHP, you don't have to use just one page. I've divided my site up into 5 sections, so I have 5 pages with all the individual page info inside them. The tutorial uses the example for one page only, but that doesn't mean you can't make as many as you require.

[Vixx]

I've got at least 200 pages, so putting them all in one file will not work for sure. ^^;

You can use Convert-to-PHP not only to hold all the information on one page; if you have a big site, you can also use to individual pages, too. For instance, you can still have all of your content on different pages, and then call them up using Convert by doing something like this:

CODE

<? } elseif ($_SERVER['QUERY_STRING'] == "about") { ?>
<? include("about.php"); ?>

[professor_destiny]

Dude, I'm beginning to get paranoid :/

My site uses the index.php/id=variable bit, however, when I get the varname, I check whether it exists in an array and if so, it includes the page; if not, it displays the default page.

The array, btw, contains values that look something like this (I'm at work now, so I don't have access to my site's ftp to check): "abt" => "about", "nws" => "news" etc.

Would it help eo encode the varname in the links, then decode it to check whether it fits the filenames?

Does this post make sense?

[Skybly]

Your method sounds fine. As long as you're not allowing people to include arbitrary files, you're safe

[Guest]

Hi,

Can anyone help?

I can’t seem to figure out how to hide my variables from my url address to stop people manually entering a value.

For example retrieving a blog entry using a url string query ending with .php?id=variable

The dodgy thing is it returns a empty single blog entry with the comment form when someone enters a number higher than the actual logged id entries in my database. A major flaw since anyone can leave a comment before the blog entry has been created.

Converting the variables to be used in Sessions and Cookies? sounds a bit extreme for me.

[broken.wings]

Gosh I'm glad I didn't code my site like that. I'm still spreading the word as much as I can though - thanks for the heads up! I don't see what people get out of hacking things like that. *shakes head*

[moisie]

Hi,

Can anyone help?

I can’t seem to figure out how to hide my variables from my url address to stop people manually entering a value.

For example retrieving a blog entry using a url string query ending with .php?id=variable

The dodgy thing is it returns a empty single blog entry with the comment form when someone enters a number higher than the actual logged id entries in my database. A major flaw since anyone can leave a comment before the blog entry has been created.

Converting the variables to be used in Sessions and Cookies? sounds a bit extreme for me.

Add a check so that comments aren't added it an entry doesn't already exist.

[Guest_harkey]

I use switch most of the time. It is a much less globular method than 100 if's, and it is more secure since you can set a default.

[Fadingshining-star]

I'm glad my sites not set up like that. Thanks for telling!

[lwq]

thanks for telling ....lucky i did not use that,one way you can protect these files is to try:

CODE

<?php
error_reporting (E_ALL ^ E_NOTICE);
//Check $page is empty or otherwise
if(empty($page)){ include('index.php');
}
//ban related names(i used this to ban direct script access to my folders)
elseif (eregi("folder1",$page)){
    echo ("<center><b>Sorry.Access denied.<br>Don't try to hack.</b></center>"); }
elseif (eregi("folder2",$page)){
    echo ("<center><b>Sorry.Access denied.<br>Don't try to hack.</b></center>"); }
elseif (eregi("folder3",$page)){
    echo ("<center><b>Sorry.Access denied.<br>Don't try to hack.</b></center>"); }
else{
require($page); }
?>

This will block folder1 and the file "folder1.php" t
thus won't work if you want to access a file like "index.php?page=folder1.php" as it is also blocked

[moisie]

I use switch most of the time. It is a much less globular method than 100 if's, and it is more secure since you can set a default.

else is effectively the default for if/else. Security wise there is very little difference between the two methods, the major problem is if people implement them in such a way as to allow people to do whatever they want.