Help - Search - Members - Calendar
Full Version: secure navigation
Pixel2Life Forum > Member Tutorials and Requests > Forum Tutorial Archives > PHP Tutorials
nitr0x
May 2 2007, 11:31 AM
You see those ?x=page urls a lot, here's how you do them in a secure way so hackers can't get any nasty scripts running on your site.

First off, make a new folder, call it what ever you want, this is where your content pages are going to go in while your main page will be up on level (so say on a web server, main directory is usually www or htdocs, then you make a folder called pages.)

Now where you want your content to show up, place the code, but look through and read it so you understand what the code does.

CODE
<? //Open up PHP
    $p = './pages/'; // This is our path to our folder we just created.
/* We use an if statement to see if our url has the variable of x in it, this will be our page name. */
    if($x = $_GET['x']){
        if(file_exists($p.$x.'.php'){ //We then check to see if the file exists using an if statement.
            include($p.$x.'.php'); //If it does, then we include it into the page, the $p is our path, the $x is our file name, and as you can see, our file extension is .php
        }else{ //If it doesn't exist
            include($p.'root.php'); //Include our root page, or news page.
        }
    }else{ //If the x variable does have anything in it then
        include($p.'root.php'); //Include our root page again.
    }
?>


It's simple as that... And the urls will look like this.

http://www.domain.com/?x=page
CB Productions
Jun 25 2009, 02:26 AM
Despite the fact you have include a $p directory to search for, one could still use file.php?x=../file
let's say you're site looks like:

index.php
pages/
-home.php
-news.php
includes/
-db.php
-globals.php

now, whilst "index.php?x=home" or "index.php?x=news" works fine, so would "index.php?x=../includes/globals.php" or if someone is really clever they could simply go "index.php?x=../index" (think about what this one would do).

There is no real way to further secure a navigation like this, the most secure way would be to use SWITCH - which to be honest, is boring and takes too much time, but in general, you shouldn't include variables ($x) in an include()/require() statement - it can just cause too much trouble...

Also, one minor thing, it's bad practice to assign variables within a conditional.
ie.
if($x = $_GET['x']){

}

Whilst this is still correct, and work, it's better syntax to use
if(isset($_GET['x'])) {
$x = $_GET['x'];
}

This part, obviously will have no affect on the display or functionality of the site, but on some servers this style of syntax will give a warning.
Da DreadLord
Jun 25 2009, 02:33 AM
lol at that ../index one tongue.gif

you could add a small line to strip away dots or any other special characters that you know that wont normally be in your X variable smile.gif
CB Productions
Jun 26 2009, 01:23 AM
Not secure.

you can still type ?x=../..

and if someone really wanted to mess with you
?x=../index

if you want to use the ?x= style of navigation securely your best bet is to use either switch or an array of allowed pages.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.