Ok, so, I currently have this.

<?php
if(!isset($GET['page']))
{
include('./home.php');
}
else
{
include("'./" . $GET['page'] . ".php'");
}
?>

I have two problems. How do I handle a page that doesn't exist? Since it's just modifying the variable, a 404 error page won't handle it.

Second.
Is there any way to remove the included document and add another? I really don't want to make the client refresh the page every time just to change a variable...

Thanks.

'file_exists' will handle the pages that don't exist.


<?php
if(!isset($_GET['page']))
{
include('./home.php');
}
else
{
if(file_exists("./".$_GET['page'].".php"))
{
include("./".$_GET['page'].".php");
}
else
{
include('./home.php');
}
}
?>


Note: I had to drop the single quote marks in the file_exist statement, and in you include.

Off the top of my head I can't see how you can change the variable in php without reloading the page, as php is a pre-processor, so all the work is done by the time it get's to the viewers browser. Unless you used frames, of course.

Hope this helps

Server-side *sigh* Ah well, I can deal with refreshing.

Thank you very much for the error code mort. I knew of the fileexists command...but I've not used it, so it kind of slipped to that 'it's there, but you'll never remember it, BWAHAHAHA' part of my brain ;).

Mort's given the simplest solution, however it may not always be productive to load the home page when a page doesn't exist. If somewhere you link to a non-existent page on your site, users who click it will get placed on the home page instead of the intended page which may get confusing. Also, any link-checking programs you use will not pickup on the incorrect URL.

You should probably return an error page with the appropriate error code when the page doesn't exist. You could always link to or meta-refresh the home page from there.

< Simon >

Your scrpit is *extremely* dangerous because user input is directly passed and included. Clients could view anyfile on the server by putting a known file path into the query string request..

For example, if a user requests your page:

http://yourpage.com/yourfile.php?page=/etc/passwd

Then PHP would output the MAIN password file on the server. A well configured server would prevent this, but there are still many other vulnerabilities opened with such a script.

No it's not, because every file has .php appended to it.

passwd.php will be the filename ;).

Besides, I just tested it, p=/etc/passwd and even went as far as /../../../etc/passwd

It's not possible.

Then the user can view any PHP file, include config files which contain MySQL username/passwords and directory structures. It is general consensus to avoid directly feeding user input into file includes or database queries, a simple strstr or regEX check on the $_GET variable can resolve this problem, so why not? Polishes your skills for future programming projects ;-)

~Q

I think you may be thinking about this differently. See, even if you visit what I'm working on ( http://test.zenenet.com/index.php?page=phpBB2/config ), you will NOT see my phpBB2 configuration. All you'll see it a blank page, because that's all the HTML that was rendered.

And if you go to page=phpBB2/adm/index, you will NOT get to my admin page, because it's not being called from the proper page/directory.

I employ the same tactics as phpBB, in that, if you attempt to view a page directly, it will die on a 'Hacking Attempt'.

Any other suggestions? (If you can indeed find a vulnerability, I will thank you greatly, but currently, neither of these are valid.)

I used dodo's script for dynamic inclusion (http://regretless.com/scripts/basics.php?dynamic_inclusion_1). It's safe because you specify the base directory, anything outside that directory will not be displayed:


<?php
// make sure it's a file in this particular directory
$z = basename($z);
// make php extension for it
$z .= ".php";
include($z);
?>

...that just broke everything, and I know why...I think.

I'm sorry, I didn't realize it was being used with phpBB, which has it's own security measures. Given just the code snipet you posted, I thought it was a quick custom-script for some simple templating for your site.

Also, include() takes querystrings (I think it accepts them, but then ignores them), thus a user can add a ?bogusvar= into the string, causing the '.php' to turn into part of a query string. Obviously phpBB will block that, but again, I thought it was a quick script.

Most of the time, you're not the one to find your own vulnerabilities, you just have to code along certain safe conventions =\

Pollute-Me: Your snippet only allows includes in the same folder, I think the correct implementation should allow access to all child directories too.

~Q

Does the fact that he used

if(file_exists("./".$_GET['page'].".php"))


.....


not mean that you can not do sfile.php?.php

the file must exist on the machine for the code to run. So is it still a risk? (although personally I would never use such a risky coding style).

SO the question is, how would one get around file_exists() ?

Pete :)