I was using this piece of php code for a site.
Now its old and I recently had a few attacks. Script was used for to include another file from someplace else and send spam. Obviously this makes my script as spam sender.
for the content
$htm = ".htm";
$pid = "$details$htm";
function show_details($pid)
{
if (!preg_match("/http/", $pid)) {
require($pid);
} else {
die;
}
}
and for the title, desc , keywords etc..
$txt = ".txt";
$title = "$details$txt";
function show_title($title)
{
if (!preg_match("/http/", $title)) {
if (file_exists($title)) {
require($title);
} else {
die;
}
}
}
and a display.php file with
print '
<!-- CONTENT -->
';
show_details("$pid");
print '
by this code ı was able to call any content by "/display.php?details=mycontentpage"
mycontentpage.htm
mycontentpage.txt
.............
Now this code has to be re-coded .. I can not change the construction as the site is just too big.
So I guess I just have to stick to this..
Can anyone help ? Any comments ?
To make scripts like this more secure, you have to ensure register_globals is set to OFF. This means you'll have to add a line like:
php_flag register_globals off
...To .htaccess. Then, declare all your user variables the first time you use them like:
$details = $_GET['details']
...Which assigns the data from the URI piece "details" to the PHP variable $details.
I can very much see how your attackers were able to get in via your code and register_globals set to on -- they'd need to merely create a .htm file with PHP code in it that reassigns other variables, include it, then viola.
For more info, see:
http://us2.php.net/manual/en/security.globals.php
Hope this helps!
Related
My code of file.php:
<?php
if(!isset($_GET['filename']) OR $_GET['filename'] == NULL) {
print("Error!");
exit();
}
$_GET['filename'] = htmlentities($_GET['filename'], ENT_QUOTES, "utf-8");
session_start();
include_once("/var/www/html/get.php");
for($i = 0; $i < $GLOBALS['files']['ile']; $i++) {
if($GLOBALS['files'][$i]['name'] == $_GET['filename']) {
if($GLOBALS['files'][$i]['priv'] == NULL OR $GLOBALS['files'][$i]['owner'] == $_SESSION['id'] OR (isset($_SESSION['privs']) AND in_array($GLOBALS['files'][$i]['priv'], $_SESSION['privs']))) {
if(file_exists($GLOBALS['files'][$i]['loc'])) {
header("Content-length: ".filesize($GLOBALS['files'][$i]['loc']));
header("Content-type: ".mime_content_type($GLOBALS['files'][$i]['loc']));
readfile($GLOBALS['files'][$i]['loc']);
} else {
print("Can't find that file!");
}
}
}
}
?>
In get.php file, I loads (from database) information about files I wanted to have access using that file above in site.
$_SESSION['privs'] //it's an array that holds privileges, i.e: site.priv.mess
$GLOBALS['files'] //holds info about all files that user can load, i.e: $GLOBALS['files'][0]['name'] is a name of first file in array
$GLOBALS['files'][0]['loc'] //holds info about first file localisation
$GLOBALS['files']['ile'] // holds sizeof($GLOBALS['files'])
With pictures that works well, but if I try to load larger file, i.e. video that weights 300MB, then file loads, all looks good, but if I reloads site, it won't work anymore...
I tried to delete my cookies in browser (to change my session ID) and it works... But what can I do to make it works better?
EDIT: On Firefox all looks good, only freezes on Chrome :(
EDIT2: Closing session with: session_write_close(); before reading file fixed my curse :P Thanks y'all
Check your php.ini or use phpinfo() to check your values for upload_max_filesize, post_max_size and memory_limit. Maybe also check the max execution time of the php script.
This is my code in index.php
include ($_GET['page']);
Actully i need to include page from url like
"?page=go.php"
on the other-hand i can not filter
"?page=example.com"
as for some case i need to include this value also. But this is a remote file inclusion (RFI) vulnerability. how can i prevent RFI attack from my site?
I am doing something like
$filename = $_GET['page'];
if (file_exists($filename)) {
{
include ($_GET['page']);
}
But it filters only
"?page=go.php"
this shorts of page.
And i am sucked with
"?page=example.com"
this shorts of page.
If I understand the question correctly; You could setup an array with 'allowed' pages such as:
$allowedPages = array('go.php', 'stop.php', 'file.php');
$filename = $_GET['page'];
if(in_array($filename, $allowedPages) && file_exists($filename)){
include ($filename);
}else{
//output error
}
I think this answer is too late, but for those who might search for this problem, I guess it can be done like this, too:
1.Define a constant with full path.
2.Define a white-list of allowed pages.
3.Get the $_GET variable, and convert it to lower case.
4.Then if the page returned by $_GET variable is in your white-list array, then require it, otherwise, redirect the user to the home page, and display an error message.
<?php
# this is abcd.php
define('SITE','http://www.yoursite.com/');
$allow = [SITE.'1.php', SITE.'2.php', SITE.'3.php'];
$get = strtolower(SITE.$_GET['page']);
if(in_array($get,$allow)){
include $get;
} else {
header('Location: index.php?param=incorrect');
}
?>
<?php
# this is index.php
if(isset($_GET['param']) && $_GET['param'] == 'incorrect'){
?>
<script type="text/javascript">
alert("INCORRECT PARAMETER PROVIDED");
</script>
<?php
} else die('ERROR');
I'm not 100% sure this will work without any probs, but I guess is a good start and you can play around with it and figure out what's suitable for you.
To be honest, your method of creating a dynamic website is definitely not the way to go.
To answer within the scope of this question, you'd do something like the following:
You'd have to set up a whitelist of files that are**ALLOWED** to be included through this function.
That could look something like this:
<?php
$whitelist = array(
'file1.php',
'file2.php',
'file3.php',
'file4.php',
'file5.php',
);
?>
Now before including the said file, you'd run a check with in_array()
<?php
if(in_array($_GET['page'] . '.php', $whitelist) && file_exists($_GET['page'] . '.php')) {
include($_GET['page'] . '.php');
}
?>
This, as you can see is not very pretty!
Another alternative would be doing something like:
<?php
$file = strtolower($_GET['page']) . '.php';
if(isset($whitelist[$file]) && file_exists($file)) {
include($_GET['page'] . '.php');
}
?>
Don't accept a page.php parameter, but just the name of the file.
"?page=go"
Then check if $_REQUEST["page"] is alphanumeric
if (ctype_alnum($_REQUEST["page"]))
And just don't give non-alpha-numeric names to your files.
Then do if file_exists on $_REQUEST["page"] and you should be quite good.
PS
$_REQUEST["page"] is about the same with $_GET["page"], it just intersects with $_POST
You can filter other domain urls instead of filtering files.
If parameter contains a hostname less than 3 letters, it is fine as no domain is 2 letters.
$tmp= parse_url ($_GET['page']);
if(strlen($tmp['host'])<3)
include($_GET['page']);
If there are some trusted hosts then you can validate them too.
I'm working with a page that, once a link is called this script checks and if the POST contains the keyword it and then finds that page. However no matter how I organize this if it doesn't work.
<?PHP
if($_POST['page']) {
$page = (int)$_POST['page'];
$exists = file_exists('pages/page_'.$page.'html');
if($exists) {
echo file_get_contexnts('pages/page_'.$page.'html');
} else {
echo 'There is no such page!';
}
} else if ($_POST['course']) die("0"); {
$course = (int)$_POST['course'];
$exists = file_exists('courses/course_'.$course.'html');
if($exists) {
echo file_get_contexnts('courses/course_'.$course.'html');
die("1");
} else {
echo 'There is no such page!';
}
}
?>
The error I'm currently receiving with this setup is:
Notice: Undefined index: course in C:\wamp\www\Home Page\load_page.php on line 12
Call Stack
# Time Memory Function Location
1 0.0003 253944 {main}( ) ..\load_page.php:0
Is it because there is no 'course' in the page? I might be confused of the code I'm modifying a tutorial of a simple ajax website. It is possible what I am trying to do does not work.
In that case how could I possible go about doing what I want to do.
Right now I have a home page and it loads in another page without switching pages. I like the floridness of it. I would like to have a sort of sub call. So if you are on the home page and you go to courses page then you can click on a specific course and that will load from a different directory within the courses directory.
Homepage (when you click on courses you go to...)
pages/courses_home.html (when you click on a course you go to...)
courses/course_1.html (you can view course and then click back to directory above or go to home)
That is the structure I'm looking to try to achieve.
If more information is needed please let me know what and I'll do my best to include it. Thank you.
The syntax should be:
if(isset($_POST["page"])) {
} elseif(isset($_POST["course"])) {
}
I am not sure why you have a die statement there, but I don't think it belongs. Also, keep in mind the logic for what happens if neither of these conditions is met.
Edit: also keep in mind that isset doesn't prevent empty strings, so you may want to check for that as well. A function you could use is
function checkPost($value) {
return isset($_POST[$value]) && $_POST[$value] !== "";
}
To use:
if(checkPost('page')) {
//some logic
}
Wrong syntax.
elseif ($_POST['course']) {
without die statement.If 'course' undefined else statement works and does not get error. Sorry for bad English.
Try this:
if isset(($_POST['page'])) {
...
} else if isset(($_POST['course'])) die("0"); {
instead of this:
if($_POST['page']) {
...
} else if ($_POST['course']) die("0"); {
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Im trying to build a single page that gets content using "file_get_contents" function, I have managed this part. The content ends up in a variable called $content. The idea is to get an alert (by sound) when the content changes.
What I have faild at is the part where I compare the old value for $content with the new one. Somehow I must keep the old value and compare it with the new one and when I reload the page I would like to get an alert if $content has changed. I was thinking I should use sessions for this comparison.
This is what I got:
<?php
session_start();
$_SESSION['red'] = $red;
if($red != $content) {echo "ALERT" . $content = $_SESSION['red'];}
if($red == $content) {echo "Same";}
It is not working, probably looks like crap since I have no clue what im doing really :)
Below is the code for setting the $content variable:
$page = file_get_contents('data.htm');
if ( preg_match ( '/<a tabindex="50" class="item_link".*?a>/s', $page, $matches ) )
{
foreach ( $matches as $key => $content )
{
echo $key . ' => ' . $content . '<br /><br />';
}
}
else
{
echo 'No match';
}
?>
For the Alert sound I found a script;
<script>
var audio = document.createElement('audio');
document.body.appendChild(audio);
audio.src = 'http://rpg.hamsterrepublic.com/wiki-images/2/21/Collision8-Bit.ogg';
setInterval(function(){audio.play();}, 5000);
</script>
Need help activating this script if the $content has changed, also to make it only play once.
I commend your self-efacing attitude.:)
One problem, I think, is the way you've written your if statement(s):
if($red != $content) {echo "ALERT" . $content = $_SESSION['red'];}
if($red == $content) {echo "Same";}
Firstly, the '.' after echo "ALERT" should, I think be a ';'.
Secondly, use an else rather than the 2 if statements. Why write more code than you need to and (more importantly) the assignment in your first if makes your second if true!!
Also, I think you want to be making $red = $_SESSION['red'] at the start, then make $_SESSION['red'] = $content.
Finally, use strcmp() instead of == or != (strcmp() is more reliable for comparing strings - remember it returns false when the strings match though).
So, you end up with:
<?php
session_start();
$red=(array_key_exists('red',$_SESSION)?$_SESSION['red']:'');
... set up $content
if(strcmp("$red","$content") )
{ // what you've previously read doesn't match the new content
echo "ALERT";
// escape back to the html to do the sound stuff
?>
<script>
var audio = document.createElement('audio');
document.body.appendChild(audio);
audio.src = 'http://rpg.hamsterrepublic.com/wiki-images/2/21/Collision8-Bit.ogg';
setInterval(function(){audio.play();}, 5000);
</script>
<?php
$_SESSION['red'] = $content;
// so now they both match the new content
// - so will give "same" next time round
} else {
echo "Same";
}
...
Try this out.
First, you must consider that to re-run your PHP code, your page needs to refresh.
To achieve this, you may use the classic html refresh through meta tag (I suppose you want just get things done, otherwise you need some tutorials to understand better what you are doing).
Second, you can store the content of data.htm in a file on the server (it's not clever how data.htm is supposed to change, I imagine through FTP or something similar, if it should change through browser, notice that it's a completely different story and you have to follow some tutorials).
After you have done this, you can just compare file_get_contents result with the stored file and check if they are not the same. If they are not, print out your javascript code to have your page ring and replace the content of the file with the new fetched contents (otherwise will keep ringing).
No sessions in this way.
I have to show a page from my php script based on certain conditions. I have an if condition and am doing an "include" if the condition is satisfied.
if(condition here){
include "myFile.php?id='$someVar'";
}
Now the problem is the server has a file "myFile.php" but I want to make a call to this file with an argument (id) and the value of "id" will change with each call.
Can someone please tell me how to achieve this?
Thanks.
Imagine the include as what it is: A copy & paste of the contents of the included PHP file which will then be interpreted. There is no scope change at all, so you can still access $someVar in the included file directly (even though you might consider a class based structure where you pass $someVar as a parameter or refer to a few global variables).
You could do something like this to achieve the effect you are after:
$_GET['id']=$somevar;
include('myFile.php');
However, it sounds like you are using this include like some kind of function call (you mention calling it repeatedly with different arguments).
In this case, why not turn it into a regular function, included once and called multiple times?
An include is just like a code insertion. You get in your included code the exact same variables you have in your base code. So you can do this in your main file :
<?
if ($condition == true)
{
$id = 12345;
include 'myFile.php';
}
?>
And in "myFile.php" :
<?
echo 'My id is : ' . $id . '!';
?>
This will output :
My id is 12345 !
If you are going to write this include manually in the PHP file - the answer of Daff is perfect.
Anyway, if you need to do what was the initial question, here is a small simple function to achieve that:
<?php
// Include php file from string with GET parameters
function include_get($phpinclude)
{
// find ? if available
$pos_incl = strpos($phpinclude, '?');
if ($pos_incl !== FALSE)
{
// divide the string in two part, before ? and after
// after ? - the query string
$qry_string = substr($phpinclude, $pos_incl+1);
// before ? - the real name of the file to be included
$phpinclude = substr($phpinclude, 0, $pos_incl);
// transform to array with & as divisor
$arr_qstr = explode('&',$qry_string);
// in $arr_qstr you should have a result like this:
// ('id=123', 'active=no', ...)
foreach ($arr_qstr as $param_value) {
// for each element in above array, split to variable name and its value
list($qstr_name, $qstr_value) = explode('=', $param_value);
// $qstr_name will hold the name of the variable we need - 'id', 'active', ...
// $qstr_value - the corresponding value
// $$qstr_name - this construction creates variable variable
// this means from variable $qstr_name = 'id', adding another $ sign in front you will receive variable $id
// the second iteration will give you variable $active and so on
$$qstr_name = $qstr_value;
}
}
// now it's time to include the real php file
// all necessary variables are already defined and will be in the same scope of included file
include($phpinclude);
}
?>
I'm using this variable variable construction very often.
The simplest way to do this is like this
index.php
<?php $active = 'home'; include 'second.php'; ?>
second.php
<?php echo $active; ?>
You can share variables since you are including 2 files by using "include"
In the file you include, wrap the html in a function.
<?php function($myVar) {?>
<div>
<?php echo $myVar; ?>
</div>
<?php } ?>
In the file where you want it to be included, include the file and then call the function with the parameters you want.
I know this has been a while, however, Iam wondering whether the best way to handle this would be to utilize the be session variable(s)
In your myFile.php you'd have
<?php
$MySomeVAR = $_SESSION['SomeVar'];
?>
And in the calling file
<?php
session_start();
$_SESSION['SomeVar'] = $SomeVAR;
include('myFile.php');
echo $MySomeVAR;
?>
Would this circumvent the "suggested" need to Functionize the whole process?
I have ran into this when doing ajax forms where I include multiple field sets. Taking for example an employment application. I start out with one professional reference set and I have a button that says "Add More". This does an ajax call with a $count parameter to include the input set again (name, contact, phone.. etc) This works fine on first page call as I do something like:
<?php
include('references.php');`
?>
User presses a button that makes an ajax call ajax('references.php?count=1'); Then inside the references.php file I have something like:
<?php
$count = isset($_GET['count']) ? $_GET['count'] : 0;
?>
I also have other dynamic includes like this throughout the site that pass parameters. The problem happens when the user presses submit and there is a form error. So now to not duplicate code to include those extra field sets that where dynamically included, i created a function that will setup the include with the appropriate GET params.
<?php
function include_get_params($file) {
$parts = explode('?', $file);
if (isset($parts[1])) {
parse_str($parts[1], $output);
foreach ($output as $key => $value) {
$_GET[$key] = $value;
}
}
include($parts[0]);
}
?>
The function checks for query params, and automatically adds them to the $_GET variable. This has worked pretty good for my use cases.
Here is an example on the form page when called:
<?php
// We check for a total of 12
for ($i=0; $i<12; $i++) {
if (isset($_POST['references_name_'.$i]) && !empty($_POST['references_name_'.$i])) {
include_get_params(DIR .'references.php?count='. $i);
} else {
break;
}
}
?>
Just another example of including GET params dynamically to accommodate certain use cases. Hope this helps. Please note this code isn't in its complete state but this should be enough to get anyone started pretty good for their use case.
You can use $GLOBALS to solve this issue as well.
$myvar = "Hey";
include ("test.php");
echo $GLOBALS["myvar"];
If anyone else is on this question, when using include('somepath.php'); and that file contains a function, the var must be declared there as well. The inclusion of $var=$var; won't always work. Try running these:
one.php:
<?php
$vars = array('stack','exchange','.com');
include('two.php'); /*----- "paste" contents of two.php */
testFunction(); /*----- execute imported function */
?>
two.php:
<?php
function testFunction(){
global $vars; /*----- vars declared inside func! */
echo $vars[0].$vars[1].$vars[2];
}
?>
Try this also
we can have a function inside the included file then we can call the function with parametrs.
our file for include is test.php
<?php
function testWithParams($param1, $param2, $moreParam = ''){
echo $param1;
}
then we can include the file and call the function with our parameters as a variables or directly
index.php
<?php
include('test.php');
$var1 = 'Hi how are you?';
$var2 = [1,2,3,4,5];
testWithParams($var1, $var2);
Your question is not very clear, but if you want to include the php file (add the source of that page to yours), you just have to do following :
if(condition){
$someVar=someValue;
include "myFile.php";
}
As long as the variable is named $someVar in the myFile.php
I was in the same situation and I needed to include a page by sending some parameters... But in reality what I wanted to do is to redirect the page... if is the case for you, the code is:
<?php
header("Location: http://localhost/planner/layout.php?page=dashboard");
exit();
?>