Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
Dawg
RavenNuke(tm) Development Team


Joined: Nov 07, 2003
Posts: 910

PostPosted: Sun Sep 16, 2007 9:12 pm Reply with quote

Greetings All,
I am using the include function in several apps and I just wanted to make sure I am doing it correctly and securely.

Code:


<?php
  $path = 'pages/';
  $extension = '.php';
 
  if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
    $filename = $path.$page.$extension;
    include($filename);
  }
?>


Does this look right or is there a better way?

Dave
 
View user's profile Send private message
Dawg
PostPosted: Mon Sep 17, 2007 5:55 am Reply with quote

I started playing around with this today and my first example I could not get to work....

Code:
<?php

$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>


I am going to try this one now....
 
Dawg
PostPosted: Mon Sep 17, 2007 5:56 am Reply with quote

but that is not going to work with a remote include.....back to the drawing board...
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Mon Sep 17, 2007 6:14 am Reply with quote

The important thing to keep in mind is that you can use relative pathing, but it is relative to the original script that was requested via the browser. So, for example, if this is a nuke module, than the script which was requested was modules.php (unless include_path is being used - rare).

Another thing to keep in mind is variable scope. If you include a file within a function, for example, the variables and code become a part of that function's scope.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
montego
PostPosted: Mon Sep 17, 2007 6:15 am Reply with quote

Sorry, forgot to mention a few other things:

Some hosts will restrict you from being able to include a file that is outside your web account, so if that is what you were trying to do in the first example, what was the error?

Also, many hosts restrict remote includes...
 
Dawg
PostPosted: Mon Sep 17, 2007 6:29 am Reply with quote

montego,
Thank You for replying this really has me stumped!

I have the scripts working with a regular include. I am just trying to secure them againest injection.

Code:


<?php
  $path = 'http://www.mysever.com/path1/path2/';
  $extension = '.php';
 
  if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
    $filename = $path.$page.$extension;
    include($filename);
  }
?>


I would have thought that would work....but it doesn't....

Hackers are such a PITA!

Dawg
 
Dawg
PostPosted: Mon Sep 17, 2007 6:34 am Reply with quote

Would this stop them from injecting?

Code:



$myserver="http://www.mysever.com";
$path="/full/path/to/script/";
if ($myserver($path) == 'myserver'){
     include($myserver.$path.'somefile.php');
}
 
Dawg
PostPosted: Mon Sep 17, 2007 8:04 am Reply with quote

Ok I am officialy STUCK!

I have an include that points at Only registered users can see links on this board! Get registered or login!

I want to secure this againest remote file attacks.

How do I do this?

Dawg
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Sep 17, 2007 9:04 am Reply with quote

Use base paths instead.

example:
Lets say that a file your including is in the same folder as this file. You would use
include_once(dirname(__FILE__).'/file.php');

If it's lets say
/html/blocks/file.php
And this file is
/html/modules/whatever/includer.php
include_once(dirname(dirname(dirname(__FILE__)))).'/blocks/file.php');

This should help you stop anything that is not alphanumeric or a _
if (preg_match("/[^\w_\-]/i",$file)) {
die('Invalid File Name');
}

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
Dawg
PostPosted: Mon Sep 17, 2007 9:16 am Reply with quote

technocrat,

Thank You for the input but it is a remote file that I am including. I have a bunch of weather models that run on another server (my server....my models) and these includes bring in the files to be included in the site.

Problem one is getting rid of other sites that were using my stuff as their own....I fixed that. Now I am just trying to secure everything down tight to keep out the hackers.

Thank You again for your time and input cause I am STUCK!

Dawg
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Mon Sep 17, 2007 9:56 am Reply with quote

Dawg wrote:

I have the scripts working with a regular include. I am just trying to secure them againest injection.

Code:


<?php
  $path = 'http://www.mysever.com/path1/path2/';
  $extension = '.php';
 
  if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
    $filename = $path.$page.$extension;
    include($filename);
  }
?>


I would have thought that would work....but it doesn't....

Hackers are such a PITA!

Dawg


Your regular expression seems fine to me at first glance. If in doubt test it first before trying to use it in the include_once.

If instead you know in advance what "pages" you are going to call on the remote server you could forgo the regular expression and do something like:

Code:


$allowedPages = array('xyz', 'aaa', 'etc');
if (in_array($page, $allowedPages))
{
   include_once ...
}



Your host may not allow remote inclusion and maybe that is why it isn't working.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
Dawg
PostPosted: Mon Sep 17, 2007 10:53 am Reply with quote

Gremmie,
Thank You for your time. It works just fine with include...I just want to lock it down from the hackers.

Dave
 
Gremmie
PostPosted: Mon Sep 17, 2007 1:34 pm Reply with quote

Your code that I quoted looked fine. Why did you say it didn't work?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©