My knowledge of PHP is not very profound. I thought of assigning the "standard" variable first but I read somewhere that once a variable is assigned it cannot be changed.
Thanks for your help!
Tyberius Prime
Maniac (V) Mad Scientist with Finglongers
From: Germany Insane since: Sep 2001
posted 05-23-2007 16:47
now... if you're doing an include ( $_GET[["page"} ) or any variant there of, chances are
very high you've just opened a grade A security hole.
Also you might consider doing some sort of URL rewriting. Nice URLs look more professionnal.
If you actually link directly to services.php, contact.php and so on you'll have to include the header and footer in each of these pages. No big deal.
Or you could do real URL rewriting using an .htaccess file
Or, as I tend to prefer, catch the 404 and check the $_SERVER['REQUEST_URI'] to include the header, serve the page you want and the footer. This way you can even check for typos in the REQUEST_URI. That's what I do on my site.
quote: poi said:
If you actually link directly to services.php, contact.php and so on you'll have to include the header and footer in each of these pages. No big deal.
My original idea is to use index.php as a "frameset", containing all layout and styles and then calling the content with the above include.
The original site was done in Dreamweaver with Templates. Stripping excess and redundant code alone has reduced the overall size by more than 70%! Thats why I am quite happy about doing it this way.
I have seen URLs on other sites such as
/index.php?id=4
/index.php?id=5
I understand that it works by renaming the variable $page to $id but I simply don't know how to subsitute the *.php at the end of the variable or writing a "key" list containing ids for the actual files to be included.
I have never even remotely touched the subject of URL rewriting.
Tyberius Prime
Maniac (V) Mad Scientist with Finglongers
From: Germany Insane since: Sep 2001
posted 05-24-2007 11:32
framesets are not only soooo 20ieth century, the also break acessibility.
Now, that line
code:
<?php include $page; ?>
is a massive security whole that allows anybody to see any file on your server - including /etc/shadow, containing (crypted )passwords and plaintext usernames. Add in a weak password on one account, and you just have found a valid username/password combo...
(Not to mention the other attack vectors... database password files)
And what's more: if php is misconfigured, $page could be an URL, pointing to a different server, allowing the attacker to include *any* code he wants!
Now take that thing down till you have at least read the documentation on php->include before your server get's hacked ( there are automated scripts for this... and they roam the net's endlessly. Don't believe you're save just because your url hasn't been published).
Those other pages probably pull their content out of databases... and the way you phrased your sentence, also shows me that you lack a concice concept of what parts urls consist of.
To make it short ( since I got some dna prep to attend to ) - you still have a lot to learn, "young Racketeer", and our ->faq is a decent place to start.
Don't hesitate with questions - we're quite eager to help out provided you've done your homework.
I will rethink the entire concept of using PHP at all. If I cannot use the include for security reasons then there is little reason in using PHP at all.
While I am very interested in learning PHP, I am simply lacking the time to do so. And my step by step learning by doing approach seems hardly feasible given the risks you pointed out.
you CAN use PHP! Just be careful. Check my code snippet with the $pagesWhiteList variable to see an easy way to pluck the security canyon you had.
I did in fact integrate your fix for the security hole. Thank you for that. But does that fix the <?php include $page; ?> issue mentioned by Tyberius Prime?
Of course it does since it only allows $page to take a value that is in the $pagesWhiteList array, and falls back to "welcome.php"
Tyberius Prime
Maniac (V) Mad Scientist with Finglongers
From: Germany Insane since: Sep 2001
posted 05-24-2007 18:14
yep, a whitelist as poi suggested is just the way to go ( sorry if I hadn't read all of this thread before pointing this hole out - but it's important to educate people (not just you, but the largish amount of lurkers we have ) .
Har har, I dug into the subject of URL rewriting and I must say: I love it!
Not everything seems to work however...
The custom 404 page works!
This...
code:
RewriteEngine on
RewriteRule ^(.*)\.html$ $1.php
also works!
But this (really useful)...
code:
RewriteEngine on
RewriteRule ^/contact.html$ /index.php?page=contact.php
doesn't work!
Tyberius Prime
Maniac (V) Mad Scientist with Finglongers
From: Germany Insane since: Sep 2001
posted 05-25-2007 23:41
those are regexps... try escaping the . (by writing \. ) , so that it really means 'dot'.
Also, try appending [R] - that should get you a redirect that's visible in the browser - if you don't get it, the problem lies with the first part of the expression.
Thanks Tyberius! It needed the +FollowSymlinks option activated.
It now works just fine! PHP, includes, url rewriting all smooth! I've learned a lot!
The only issue I just noticed is that of course all pages have the same title now.
My idea is to add another PHP variable to the url rewriting part in .htaccess and echoing that in the title. Is that feasible? Is there a better solution?
How can I pass a varibale consisiting of two words?
So that the title says About us - Company Name Limited. I've tried putting the title variable in ' ' or " " but it seems not to work. Also the trick in combining them with %20 doesn't work (it passes the variable but displays it with a 0 instead of a space: About0us - Company Name Limited