I am calling this file sourcer.php, if you change the name there are parts of the code which need to be changed. In this tutorial i am going to show you how you can use the highlight functions in php to do several things. Firstly im going to create a source code viewer which you can set to not allow users to view certain files. To begin i will explain the two functions.

 highlight_string("$String") 

You can either set the string variable or just put the PHP code in there and it will echo that php with the correct colors. It basically makes the code look like it should in code view.

Now the other function does the same thing but for a file

hightlight_file("file.php")

This will display the full contents off the files. Now to create the sourcer.

 

$file = $_GET['f'];

if (file_exists($file)){

highlight_file($file);

}else{

echo "This file doesn't exist";

}

This uses the file_exists('filename') function to check to see if the file that you have inputed exists, however you shouldn't really use this script as its a security risk. However the following script has built in saftey mechanisms to prevent certain files from being opened.

$array = array('index.php','conn.php');

$file = $_GET['f'].".php";

if (!in_array($file,$array)){

if (file_exists($file)){

highlight_file($file);

}else{

echo "This file doesn't exist";

}}else{

echo "This file is off limits";

}

In this code we are using an array to check if certain filenames are being accessed and if they are then access to them is shut off.

Lines 1-3 

$array = array('index.php','conn.php');

$file = $_GET['f'].".php";

if (!in_array($file,$array)){

To begin with we have set the array with just the file names and the extentions. The variable $file is then set with the URL variable and then the extention is added onto the end. The last line is saying that if it isn't in the array carry on. Note the ! makes it that its not in the array instead of it being in the array.

I am now going to finish the code by adding a small file browser infront of the sourcer so that you can select from certain files that have been selected. The array in the code I just showed you it too stop any SQL injection. Any files you want prohibited should be in the array.

if ($_GET['f'] != NULL){

$array = array('index','conn');

$file = $_GET['f'].".php";

if (!in_array($file,$array)){

if (file_exists($file)){

highlight_file($file);

}else{

echo "This file doesn't exist";

}}else{

echo "This file is off limits";

}}else{

$dir = "/";

if (is_dir($dir)) {

if ($dh = opendir($dir)) {

$array2 = array('.','..','dir1');

while (($filename = readdir($dh)) !== false){

if (in_array($filename,$array2)){

$name = eregi_replace('.php','',$filename);

echo "< a href='test.php?f=$name'>$filename</a>";

}}

closedir($dh); 

}}}

In this code we have effectively added

$dir = "/";

if (is_dir($dir)) {

if ($dh = opendir($dir)) {

$array2 = array('.','..','dir1');

while (($filename = readdir($dh)) !== false){

if (in_array($filename,$array2)){

$name = eregi_replace('.php','',$filename);

echo "<a href='test.php?f=$name'>$filename</a>";

}}

closedir($dh); 

}}}

Change the $dir to the directory in which the files you want to be viewed are. The next line of this code checks to see if the directory exists. If it does it proceeds to open the directory. Then we have another array

$array2 = array('.','..','dir1');

Put the names of the directories and files in the folder you don't want the user to view, always keep the first two entries. It would also be a good idea to put the files you don't want them to be able to view at all in the first array.

while (($filename = readdir($dh)) !== false){

if (!in_array($filename,$array2)){

To begin with a loop is started in which all the files from the directory would be shown. Then the files or directories that are in the array will not be shown.

$name = eregi_replace('.php','',$filename);

echo "< a href='sourcer.php?f=$name'>$filename</a>";

These lines show the removal of .php extention using the eregi_replace function and then the link to the sourcer being shown.

Thats about it for this tutorial. Comments and questions please



Arutha