Im doing a game and i created an "administration" panel for it.
it works like this:
admin.php
admin/code1.php
admin/code2.php
admin.php:
<?php
include("lib.php");
$player = check_user($secret_key, $db);
if($player->rank != "Administrador")
{
header("Location: personagem.php");
exit;
}
include("templates/private_header.php");
head("Admin Panel","adminpanel.png");
startbox();
if(isset($_GET['page']))
{
include("admin/" . $_GET['page'] . ".php");
}
else
{
?>
Kill Players<br>
Heal Players<br>
<?php
}
endbox();
include("templates/footer.php");
?>
i want to know if im prone to hacking.
the code1.php and code2.php uses a custom query library that is included in lib.php so there is no way to execute them directly without falling in to an error.
Also in My template i have:
if($player->rank == "Administrador")
{
echo "<a href='admin.php'>Admin Panel</a>";
}
so i can access the panel more quickly.There is risk in there too?
Just note that $player is a object created from a query to the player Database that represents the actual player. In my thoughts the only way to hack this is changing they "rank" status in the table to "Administrador" am i right? or there is something i let pass?
Thanks in advance
include("admin/" . $_GET['page'] . ".php");
This is a huge security hole.
Something like blah.php?page=../../../../etc/passwd%00 would include /etc/password and of course you can also do this with other files - maybe even some files uploaded by the user that contain PHP code (could be even an image as long as it contains <?php [code] somewhere)
And even if only you are administrator, not closing holes like that would not be wise - you might have other administrators at some point.
Never trust user input
Never work with any of $_GET $_POST, $_COOKIE without verifying them first (or anything else user-generated for that matter, even stuff from your own database might be dangerous).
include("admin/" . $_GET['page'] . ".php");
Don't do this. otherwise you can include any file you want. I suggest you whitelist all allowed pages to be included like so:
$allowed = array("admin_index", "page1", "page2");
if(in_array($_GET['page'], $allowed)){
include("admin/" . $_GET['page'] . ".php");
}
else{
// perform error handling
}
Here's a useful function that you could take a look at, if you don't want to whitelist all pages: basename() - this will always only return the filename part, without any directory-changing part.
Furthermore, I do not recommend you work with includes like this at all, but rather have some Controller-hierarchy that can decide what to do on each request.
What about the authentication?
Show us your code for the authentication. That's a crucial part of your system that needs to be secure.
Related
I am somewhat a newby at PHP ... so what im trying to do is to get the the page using the following code
<?php include $_GET['topic']; ?>
to get the url like this http://ulixtxteditor.org/entities/helpCentre?topic=credits
that much works great for me however if no page is found i would like to use the else statement to display an error instead of a blank page. What should I do? ex: http://ulixtxteditor.org/entities/helpCentre?topic= so this part would display an error?
<?php if(isset){include $_GET['topic'];} else {echo "error"} ?>
I tried this but it wont work.
Use something like this:
<?php
// In case topic parameter wasn't provided you will have fallback.
$topic = isset($_GET['topic']) ? $_GET['topic'] : '';
// Now you can check topic and have valid file name.
switch ($topic) {
case 'credits':
$fileName = 'credits.php';
break;
default:
$fileName = 'index.php';
break;
}
// Now it is possible safely include file.
include __DIR__ . DIRECTORY_SEPARATOR . $fileName;
Using $_GET['topic'] directly in include or require construction is unsafe because you vulnerable to "Directory traversal attack". Moreover you always must validate input parameters with purpose avoid include in php script css files etc...
<?php include $_GET['topic']; ?>
Don't do that. It creates a massive and easily-exploited security vulnerability.
For example:
?topic=index.php -- creates an infinite loop
?topic=/etc/passwd -- displays sensitive data from the server
?topic=/proc/self/environ -- executes code from the process environment. This will frequently include user-controlled data like the values of HTTP headers, allowing for remote code execution.
Your site will be exploited if you implement this. There are numerous bots which scan public web sites for this vulnerability, many of which will attempt to exploit it automatically upon detection.
If you want to include a file based on the value of a GET variable, use switch($_GET['topic') to define the acceptable values of that variable. This will also allow you to implement error handling as a default: clause.
This is a fairly common way of implementing a simple junction box/router. Use a switch statement.
$topic = isset($_GET['topic']) ? $_GET['topic'] : '';
switch ($page) {
case 'credit':
case 'otherpage':
case 'otherpage2':
require_once(dirname(__FILE__) . '/' . $page . '.php');
break;
default
require_once(dirname(__FILE__) . '/' . 'default.php');
}
You whitelist your pages/topics by adding a case statement at the top for each, and anything that doesn't match or have a page is processed by loading the default page.
In this example, I assume all the topic pages are in the same directory as this script (typically named index.php).
I have written a script, to redirect the users who visit my website,
http://localhost/ghi/red.php?go=http://www.google.com
When theres URL like above my script grabs the go variable value and checks whether its there on my database table as a trusted site if so it redirects to the site. In this occurance the redirection should take place even for sub domains
as an example even if the "go" variable has a value like www.google.com/images the redirection should take place if www.google.com is there in the trusted sites table.
I do that by using PHP INDEX OF function as below
$pos = strrpos($trusted_sites, $go_value);
this works fine, But there is a problem that i accidentally came across...
Which is even if the go variable has a value like www.google.comqwsdad it still redirects the user to www.google.com
this is a serious bug any help would be highly appreciated on how to avoid redirecting to wrong urls
If you want such redirect from a whitelist of sites. First build of the whilelist in an array. Then you can compare them using in_array() from the $_GET['go']. Consider this example:
// sample: http://localhost/ghi/red.php?go=http://www.google.com/images
if(isset($_GET['go'])) {
$go = $_GET['go'];
$url = parse_url($go);
$go = $url['host'];
$scheme = $url['scheme'];
$certified_sites = array('www.imdb.com', 'www.tomshardware.com', 'www.stackoverflow.com', 'www.tizag.com', 'www.google.com');
if(in_array($go, $certified_sites)) {
header("Location: $scheme://$go");
exit;
} else {
// i will not redirect
}
}
The "correct" way is to us an array of sites (or even a database), then use in_array.
<?php
$trusted_sites=array("http://www.google.com","http://www.yahoo.com");
if (in_array("http://www.google.com",$trusted_sites)) {
print "Ok\n";
} else {
print "Bad site\n";
}
A quick way of cheating, which I use from time to time, is to make sure you have a separator (e.g. a space) as the first and last character of your $trusted_sites, then add the separator to the beginning and end of your $go_value.
<?php
$trusted_sites="http://www.google.com http://www.yahoo.com";
$go="http://www.google.com";
if (strpos(" $trusted_sites "," $go ")===False) {
print "Bad site\n";
} else {
print "Ok\n";
}
In this example, I've added the separator (a space) to the beginning and end of both variables, inside the strpos(); in the case of $trusted_sites, I could have put them in the initial declaration instead.
For instance, I have viewpost.php and it's set up as needed and I only need to change the content within divs in there.
For example, I'm going to have to do viewpost.php?id=1,2,3 etc. But should I do EVERYTHING off index.php using index.php?action=viewpost&id=1?
Then also, do I use if statements, or do I communicate with my database using those get requests?
Overall, I plan to use modrewrite anyway, but I am clueless on the proper way to set up loading multiple pages off one, or a few php files.
I have a template and I just need to fill it using database data.
Easiest way is something very basic like this (Not very secure though)
$page = $_GET["action"];
if($page == null)
{
$page = "main";
}
if (file_exists("content/$page.php"))
{
include ("content/$page.php");
}
else
{
include ("includes/404.php");
}
A better solution is to use something like http://www.smarty.net/ to handle templating and content loading. Slightly more complicated, but most likely worth the extra effort if you're doing anything beyond a very simple website.
index.php?action=viewpost&id=1 this code in index:
if(isset($_GET['action']) && isset($_GET['id']))
{
$id = $_GET['id'];
if($action == "viewpost")
{
// action is viewpost
if(!ctype_digit($id))
{
// id isnt digit
die();
}
else
{
// viewpost
include('viewpost.php');
}
}
viewpost.php could look like:
just to be sure nothing bad happens when going right to viewpost.php you could see in the url if viewpost.php exists, or just do the security here (!ctype_digit($_GET['id']))
// since its already been secured with !ctype_digit, we can run queries right away
$q_findPost = mysqli_query($mysqli, "SELECT * FROM posts WHERE id=$id");
$r = mysqli_fetch_assoc($q_findPost);
// div stuff
I'm working on a page where I've listed some entries from a database. Although, because the width of the page is too small to fit more on it (I'm one of those people that wants it to look good on all resolutions), I'm basically only going to be able to fit one row of text on the main page.
So, I've thought of one simple idea - which is to link these database entries to a new page which would contain the information about an entry. The problem is that I actually don't know how to go about doing this. What I can't figure out is how I use the PHP code to link to a new page without using any new documents, but rather just gets information from the database onto a new page. This is probably really basic stuff, but I really can't figure this out. And my explanation was probably a bit complicated.
Here is an example of what I basically want to accomplish:
http://vgmdb.net/db/collection.php?do=browse<r=A&field=&perpage=30
They are not using new documents for every user, they are taking it from the database. Which is exactly what I want to do. Again, this is probably a really simple process, but I'm so new to SQL and PHP coding, so go easy on me, heh.
Thanks!
<?php
// if it is a user page requested
if ($_GET['page'] == 'user') {
if (isset($_GET['id']) && is_numeric($_GET['id'])) {
// db call to display user WHERE id = $_GET['id']
$t = mysql_fetch_assoc( SELECT_QUERY );
echo '<h1>' . $t['title'] . '</h1>';
echo '<p>' . $t['text'] . '</p>';
} else {
echo "There isn't such a user".
}
}
// normal page logic goes here
else {
// list entries with links to them
while ($t = mysql_fetch_assoc( SELECT_QUERY )) {
echo '<a href="/index.php?page=user&id='. $t['id'] .'">';
echo $t['title'] . '</a><br />';
}
}
?>
And your links should look like: /index.php?page=user&id=56
Note: You can place your whole user page logic into a new file, like user.php, and include it from the index.php, if it turns out that it it a user page request.
Nisto, it sounds like you have some PHP output issues to contend with first. But the link you included had some code in addition to just a query that allows it to be sorted alphabetically, etc.
This could help you accomplish that task:
www.datatables.net
In a nutshell, you use PHP to dynamically build a table in proper table format. Then you apply datatables via Jquery which will automatically style, sort, filter, and order the table according to the instructions you give it. That's how they get so much data into the screen and page it without reloading the page.
Good luck.
Are you referring to creating pagination links? E.g.:
If so, then try Pagination - what it is and how to do it for a good walkthrough of how to paginate database table rows using PHP.
I want url's like index.php?showuser=512, index.php?shownews=317 for pages i get content from db... and for regular pages index.php?page=about and so on WITHOUT mod-rewrite.
Invision Power Board has urls like this. I have looked through their code but I can't figure out how they do it.
I could do it like this:
if (ctype_digit($_GET['shownews'])) include('shownews.php');
elseif (ctype_digit($_GET['showuser'])) include('showuser.php');
// regular pages
elseif ($_GET['page'] == 'about') include('about.php');
elseif ($_GET['page'] == 'help') include('help.php');
elseif ($_GET['page'] == 'login') include('login.php');
But this feels too messy.
Just curious how IPB does this. Is there a better way do to this? WITHOUT any mod-rewrite. Any one know? I doubt they do it like the above.
I can't do:
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) include('$_GET['page']');
Then I would get links like index.php?showuser&id=512 and that I dont like. (i know its not safe just showing the princip)
I like it this way, it's not the best but i like it so please be quiet about template engines, frameworks etc. Just be kind and answer my question... I just want to know how IPB does this.
Thanks
Tomek
I don't know how IPB does this, let's get that out of the way. But, this is how I would approach this problem:
First, I recognize that there are two kinds of GET parameters: page/identifier, and just page. These would get tested separately.
Second, I recognize that all all get parameters match their filenames sans the php-suffix, so we can use this to our advantage.
One of the most important things to remember is to never let GET-parameters affect our code unsanitized. In this case, we know which types of pages we can and want to show, so we can create a white-list out of these.
So, onto the pseudo-y dispatcher code:
$pagesWithId = array("shownews", "showuser", "showwhatever");
$justPages = array("about", "help", "login");
foreach ($pagesWithId as $page) {
if (isset($_GET[$page])) {
$id = (int)$_GET[$page];
include($page.'.php');
die();
}
}
if (in_array($_GET['page'], $justPages)) {
include($_GET['page'].'.php');
die();
}
// page not found
show404OrHandleOtherwise();
For pages you just use a simple array.
if (isset($pages[$_GET['page']])) include $pages[$_GET['page']];
For shownews=317 You could make a simple conversion in your app. Depending on how you want to prioritize page or shownews etc:
if (isset($pages[$_GET['page']])) {
include $pages[$_GET['page']];
} else {
$possiblePages = array_filter(array_intersect_key($_GET, $pagesWithId), 'ctype_digit');
if (!empty($possiblePages)) {
$id = reset($possiblePages);
$pageName = key($possiblePages);
$page = $pagesWithId[$pageName];
include $page;
} else {
//no valid pages
}
}
Note: page "names" are array keys, and the value is the path, file and extension to include. More customizable.