Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > Is my PHP code safe?

Freelance Jobs

Reply
Is my PHP code safe?
Old 12-08-2005, 05:27 PM Is my PHP code safe?
Junior Talker

Posts: 3
Trades: 0
Talkupation: SweetAngel8788 is on a distinguished road
Hi everyone.

Can anyone please tell me if my PHP code secure or if there are holes in it? Is it vulnerable to hackers?

<?php
$news = "news.php";
$ext = ".php";
if(!isset($_GET['index'])){
include $news;
}
elseif(isset($_GET['index']) && file_exists($_GET['index'].$ext)){
include $_GET['index'].$ext;
}
?>

If it is can anyone please tell me a code that will do the same thing but has no holes or vulnerability in it. I want my web site to be able to open up my news page on the index, but than be able to change when I go to another page while keeping the layout the same

Thanksss!
Last edited by SweetAngel8788; 12-08-2005 at 05:29 PM..
SweetAngel8788 is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 12-09-2005, 12:46 AM
Skilled Talker

Posts: 70
Trades: 0
Talkupation: cerebro89 is on a distinguished road
the better option to use instead of $_GET is $_POST. When you use $_GET all the values you use are displayed in the address bar of the browser. If you use $_POST, the values are sent to an associative array, so the values can't be seen by the user. It should do everything that you want it to, just make sure you change the form code from "method=get" to "method=post"
cerebro89 is offline
Reply With Quote
View Public Profile
 
Old 12-09-2005, 01:22 PM
Junior Talker

Posts: 3
Trades: 0
Talkupation: SweetAngel8788 is on a distinguished road
Heyyyy

I found another code that does the same thing. Is this code below better to use than that other one I posted?

<?php
if(!$index || $index == ""){$index = "/path/to/news";} ?><?php include("$index.html"); ?>

Thanks so much for your help!
SweetAngel8788 is offline
Reply With Quote
View Public Profile
 
Old 12-10-2005, 02:23 PM
Experienced Talker

Posts: 36
Trades: 0
Talkupation: tress is on a distinguished road
No, your first code was better, but still vulnerable to attacks.

A better solution is making a list of allowed files and checking against that.

$allowed_files=array('file.php','file1.php');
if(in_array($file,$allowed_files))
{
// file is allowed
}
else
{
// file isn't allowed
}
tress is offline
Reply With Quote
View Public Profile
 
Old 12-10-2005, 08:37 PM
Junior Talker

Posts: 3
Trades: 0
Talkupation: SweetAngel8788 is on a distinguished road
isn't their a way where I can only limit the files to my own server?

Like I don't want my url, http://www.mysite.com/index.php?page=, to be able to access other sites... because people can just put http://www.mysite.com/index.php?page...site.com/index and a bad and potentially hazerdous page comes up.

Can't I limit it to my site only?

There is an "open_basedir" command I've found, but I'm not sure if it will work with my code, and I don't know how how to use it. Any and all help is much appriciated

Here is the code I want to make as secure a can be:

PHP Code:
 <?php
 $news "news.php";
 $ext ".php";
 if(!isset($_GET['index'])){
 include $news;
 }
 elseif(isset($_GET['index']) && file_exists($_GET['index'].$ext)){
 include $_GET['index'].$ext;
 }
 ?>
SweetAngel8788 is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to Is my PHP code safe?
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > Is my PHP code safe?

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.20832 seconds with 12 queries