Jump to content


Photo
- - - - -

secure navigation


  • Please log in to reply
3 replies to this topic

#1 nitr0x

nitr0x

    Young Padawan

  • Members
  • Pip
  • 201 posts

Posted 02 May 2007 - 11:31 AM

You see those ?x=page urls a lot, here's how you do them in a secure way so hackers can't get any nasty scripts running on your site.

First off, make a new folder, call it what ever you want, this is where your content pages are going to go in while your main page will be up on level (so say on a web server, main directory is usually www or htdocs, then you make a folder called pages.)

Now where you want your content to show up, place the code, but look through and read it so you understand what the code does.

<? //Open up PHP
	$p = './pages/'; // This is our path to our folder we just created.
/* We use an if statement to see if our url has the variable of x in it, this will be our page name. */
	if($x = $_GET['x']){
		if(file_exists($p.$x.'.php'){ //We then check to see if the file exists using an if statement.
			include($p.$x.'.php'); //If it does, then we include it into the page, the $p is our path, the $x is our file name, and as you can see, our file extension is .php
		}else{ //If it doesn't exist
			include($p.'root.php'); //Include our root page, or news page.
		}
	}else{ //If the x variable does have anything in it then
		include($p.'root.php'); //Include our root page again.
	}
?>

It's simple as that... And the urls will look like this.

http://www.domain.com/?x=page

#2 CB Productions

CB Productions

    Young Padawan

  • Members
  • Pip
  • 48 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 25 June 2009 - 02:26 AM

Despite the fact you have include a $p directory to search for, one could still use file.php?x=../file
let's say you're site looks like:

index.php
pages/
-home.php
-news.php
includes/
-db.php
-globals.php

now, whilst "index.php?x=home" or "index.php?x=news" works fine, so would "index.php?x=../includes/globals.php" or if someone is really clever they could simply go "index.php?x=../index" (think about what this one would do).

There is no real way to further secure a navigation like this, the most secure way would be to use SWITCH - which to be honest, is boring and takes too much time, but in general, you shouldn't include variables ($x) in an include()/require() statement - it can just cause too much trouble...

Also, one minor thing, it's bad practice to assign variables within a conditional.
ie.
if($x = $_GET['x']){

}

Whilst this is still correct, and work, it's better syntax to use
if(isset($_GET['x'])) {
$x = $_GET['x'];
}

This part, obviously will have no affect on the display or functionality of the site, but on some servers this style of syntax will give a warning.

#3 Da DreadLord

Da DreadLord

    Young Padawan

  • Members
  • Pip
  • 14 posts
  • Gender:Male
  • Location:Aalst, Belgium

Posted 25 June 2009 - 02:33 AM

lol at that ../index one :P

you could add a small line to strip away dots or any other special characters that you know that wont normally be in your X variable :)

#4 CB Productions

CB Productions

    Young Padawan

  • Members
  • Pip
  • 48 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 26 June 2009 - 01:23 AM

Not secure.

you can still type ?x=../..

and if someone really wanted to mess with you
?x=../index

if you want to use the ?x= style of navigation securely your best bet is to use either switch or an array of allowed pages.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users