| Author |
Message |
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
 Posted:
Sun Sep 16, 2007 9:12 pm |
 
|
Greetings All,
I am using the include function in several apps and I just wanted to make sure I am doing it correctly and securely.
| Code: |
<?php
$path = 'pages/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
Does this look right or is there a better way?
Dave |
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 5:55 am |
|
I started playing around with this today and my first example I could not get to work....
| Code: | <?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
include($path.'somefile.php');
}
?> |
I am going to try this one now.... |
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 5:56 am |
|
but that is not going to work with a remote include.....back to the drawing board... |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7487
Location: Arizona
|
| Posted:
Mon Sep 17, 2007 6:14 am |
|
The important thing to keep in mind is that you can use relative pathing, but it is relative to the original script that was requested via the browser. So, for example, if this is a nuke module, than the script which was requested was modules.php (unless include_path is being used - rare).
Another thing to keep in mind is variable scope. If you include a file within a function, for example, the variables and code become a part of that function's scope. |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7487
Location: Arizona
|
| Posted:
Mon Sep 17, 2007 6:15 am |
|
Sorry, forgot to mention a few other things:
Some hosts will restrict you from being able to include a file that is outside your web account, so if that is what you were trying to do in the first example, what was the error?
Also, many hosts restrict remote includes... |
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 6:29 am |
|
montego,
Thank You for replying this really has me stumped!
I have the scripts working with a regular include. I am just trying to secure them againest injection.
| Code: |
<?php
$path = 'http://www.mysever.com/path1/path2/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
I would have thought that would work....but it doesn't....
Hackers are such a PITA!
Dawg |
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 6:34 am |
|
Would this stop them from injecting?
| Code: |
$myserver="http://www.mysever.com";
$path="/full/path/to/script/";
if ($myserver($path) == 'myserver'){
include($myserver.$path.'somefile.php');
}
|
|
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 8:04 am |
|
Ok I am officialy STUCK!
I have an include that points at
I want to secure this againest remote file attacks.
How do I do this?
Dawg |
|
|
|
|
|
technocrat
Involved
Joined: Jul 07, 2005
Posts: 492
|
| Posted:
Mon Sep 17, 2007 9:04 am |
|
Use base paths instead.
example:
Lets say that a file your including is in the same folder as this file. You would use
include_once(dirname(__FILE__).'/file.php');
If it's lets say
/html/blocks/file.php
And this file is
/html/modules/whatever/includer.php
include_once(dirname(dirname(dirname(__FILE__)))).'/blocks/file.php');
This should help you stop anything that is not alphanumeric or a _
if (preg_match("/[^\w_\-]/i",$file)) {
die('Invalid File Name');
} |
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 9:16 am |
|
technocrat,
Thank You for the input but it is a remote file that I am including. I have a bunch of weather models that run on another server (my server....my models) and these includes bring in the files to be included in the site.
Problem one is getting rid of other sites that were using my stuff as their own....I fixed that. Now I am just trying to secure everything down tight to keep out the hackers.
Thank You again for your time and input cause I am STUCK!
Dawg |
|
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2401
Location: Iowa, USA
|
| Posted:
Mon Sep 17, 2007 9:56 am |
|
| Dawg wrote: |
I have the scripts working with a regular include. I am just trying to secure them againest injection.
| Code: |
<?php
$path = 'http://www.mysever.com/path1/path2/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
|
I would have thought that would work....but it doesn't....
Hackers are such a PITA!
Dawg |
Your regular expression seems fine to me at first glance. If in doubt test it first before trying to use it in the include_once.
If instead you know in advance what "pages" you are going to call on the remote server you could forgo the regular expression and do something like:
| Code: |
$allowedPages = array('xyz', 'aaa', 'etc');
if (in_array($page, $allowedPages))
{
include_once ...
}
|
Your host may not allow remote inclusion and maybe that is why it isn't working. |
|
|
|
|
|
Dawg
Life Cycles Becoming CPU Cycles
Joined: Nov 07, 2003
Posts: 564
|
| Posted:
Mon Sep 17, 2007 10:53 am |
|
Gremmie,
Thank You for your time. It works just fine with include...I just want to lock it down from the hackers.
Dave |
|
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2401
Location: Iowa, USA
|
| Posted:
Mon Sep 17, 2007 1:34 pm |
|
Your code that I quoted looked fine. Why did you say it didn't work? |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
