Author |
Message |
Dawg
RavenNuke(tm) Development Team
Joined: Nov 07, 2003
Posts: 928
|
Posted:
Sun Sep 16, 2007 9:12 pm |
|
Greetings All,
I am using the include function in several apps and I just wanted to make sure I am doing it correctly and securely.
Code:
<?php
$path = 'pages/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
Does this look right or is there a better way?
Dave |
|
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 5:55 am |
|
I started playing around with this today and my first example I could not get to work....
Code:<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
include($path.'somefile.php');
}
?>
|
I am going to try this one now.... |
|
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 5:56 am |
|
but that is not going to work with a remote include.....back to the drawing board... |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
Posted:
Mon Sep 17, 2007 6:14 am |
|
The important thing to keep in mind is that you can use relative pathing, but it is relative to the original script that was requested via the browser. So, for example, if this is a nuke module, than the script which was requested was modules.php (unless include_path is being used - rare).
Another thing to keep in mind is variable scope. If you include a file within a function, for example, the variables and code become a part of that function's scope. |
_________________ Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
montego
|
Posted:
Mon Sep 17, 2007 6:15 am |
|
Sorry, forgot to mention a few other things:
Some hosts will restrict you from being able to include a file that is outside your web account, so if that is what you were trying to do in the first example, what was the error?
Also, many hosts restrict remote includes... |
|
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 6:29 am |
|
montego,
Thank You for replying this really has me stumped!
I have the scripts working with a regular include. I am just trying to secure them againest injection.
Code:
<?php
$path = 'http://www.mysever.com/path1/path2/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
I would have thought that would work....but it doesn't....
Hackers are such a PITA!
Dawg |
|
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 6:34 am |
|
Would this stop them from injecting?
Code:
$myserver="http://www.mysever.com";
$path="/full/path/to/script/";
if ($myserver($path) == 'myserver'){
include($myserver.$path.'somefile.php');
}
|
|
|
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 8:04 am |
|
Ok I am officialy STUCK!
I have an include that points at [ Only registered users can see links on this board! Get registered or login! ]
I want to secure this againest remote file attacks.
How do I do this?
Dawg |
|
|
|
|
technocrat
Life Cycles Becoming CPU Cycles
Joined: Jul 07, 2005
Posts: 511
|
Posted:
Mon Sep 17, 2007 9:04 am |
|
Use base paths instead.
example:
Lets say that a file your including is in the same folder as this file. You would use
include_once(dirname(__FILE__).'/file.php');
If it's lets say
/html/blocks/file.php
And this file is
/html/modules/whatever/includer.php
include_once(dirname(dirname(dirname(__FILE__)))).'/blocks/file.php');
This should help you stop anything that is not alphanumeric or a _
if (preg_match("/[^\w_\-]/i",$file)) {
die('Invalid File Name');
} |
_________________ Nuke-Evolution
phpBB-Evolution / phpBB-Evolution Blog |
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 9:16 am |
|
technocrat,
Thank You for the input but it is a remote file that I am including. I have a bunch of weather models that run on another server (my server....my models) and these includes bring in the files to be included in the site.
Problem one is getting rid of other sites that were using my stuff as their own....I fixed that. Now I am just trying to secure everything down tight to keep out the hackers.
Thank You again for your time and input cause I am STUCK!
Dawg |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
Posted:
Mon Sep 17, 2007 9:56 am |
|
Dawg wrote: |
I have the scripts working with a regular include. I am just trying to secure them againest injection.
Code:
<?php
$path = 'http://www.mysever.com/path1/path2/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
I would have thought that would work....but it doesn't....
Hackers are such a PITA!
Dawg |
Your regular expression seems fine to me at first glance. If in doubt test it first before trying to use it in the include_once.
If instead you know in advance what "pages" you are going to call on the remote server you could forgo the regular expression and do something like:
Code:
$allowedPages = array('xyz', 'aaa', 'etc');
if (in_array($page, $allowedPages))
{
include_once ...
}
|
Your host may not allow remote inclusion and maybe that is why it isn't working. |
_________________ GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module |
|
|
|
Dawg
|
Posted:
Mon Sep 17, 2007 10:53 am |
|
Gremmie,
Thank You for your time. It works just fine with include...I just want to lock it down from the hackers.
Dave |
|
|
|
|
Gremmie
|
Posted:
Mon Sep 17, 2007 1:34 pm |
|
Your code that I quoted looked fine. Why did you say it didn't work? |
|
|
|
|
|