PHP Forum

**portkey** · 07-21-2006, 12:53 AM

I use a VERY basic script to make content load easier into my layout so that everypage does not need to be edited each time i change layouts. The code (seen below) is very faulty though as it allows external sources to be included, making it very easy to hack into my server, due to how its link:
http://www.mydomain.com/index.php?site=homepage

PHP Code:


			
<?php

if(!$site || $site == ""){

  $site = "news";

}



include("$site.php"); 

?>

I know i could just include a header and footer on each page, but i had hoped to try and avoid that at all costs. What is there a way to keep the current system but increase security?

**Mad182** · 07-21-2006, 03:13 AM

I'm not good at this, but maybe you can read all include file names in array, and than chech if its in array. If it's not, show news page.

**ibbo** · 07-21-2006, 09:15 AM

You can use $_SERVER['HTTP_REFERER'] to check where its called from.

So

if( $_SERVER['HTTP_REFERER'] == "www.mydomain.com"){

if(!empty($_GET['site'])){
$site = $_GET['site'];
$site = "news";
}

include($site.".php");
}

Also you are going about it in the old style by assuming $site has mapped directly to site which is depreciated these days and considered bad practice. Use $_GET['site'] to grab your variables from the URL and $_POST['var'] when dealing with forms.

Ibbo

**AliKat** · 07-21-2006, 09:26 AM

You could use a switch statement for each of your pages.

PHP Code:


			
switch($_GET['site'])

{

 case "homepage": include("homepage.php"); break;

 case "X": include("X.php"); break;

 default: include("news.php");

}

Though I wouldn't use words I would use numbers 1, 2, 3, etc.

The domain script is easy but you could screw up your site if someone put in a file that was exiting on your server that wasn't meant to be displayed. It's not a secruity risk as most of what you put on there you'd know what is.

**mastercomputers** · 07-21-2006, 11:50 AM

AliKat's method is probably the better option, by making sure that you limit what pages can be included.

PHP Code:


			
<?php
if(isset($_GET['site']) && $_GET['site'] === 0 || !empty($_GET['site']))
{
  switch($_GET['site'])
  {
    case 0:
      include_once('page1.php');
      break;
    case 1:
      include_once('page2.php');
      break;
    default:
      include_once('news.php');
      break;
  }
}
?>

At least this way they can't include any other sites that you don't allow, however for a number of different sites, a better management way would be required, storing it in an array, flatfile/xml, database etc.

Cheers,

MC

**Acecool** · 07-24-2006, 09:05 AM

Do what one of the others said with the cases..

That code is easy to break, you simply make a script on your server that echos BAD CODE, that gets executed by your server and the user can do anything...