What is the php tag that you use to link it with sites? the tag that, after inserted allows you to do links like http://mysite.com/index.php?id=new info that is displayed on index.php .html i have forgotten it and any sites i try either do too basic things (hello world) or too complex ones can anyone help?
to do something like that you'd have something like this: PHP: <?php $id = $_GET['id']; include($id); ?> Then link to www.site.com/index.php?id=page.html or whatever
Woh, Think about what your doing. Your letting someone see ANY file the PHP host process has acess too. Might not be a good idea. ie, say you were using SQL of some sort, they could read the password out of the http file. You'd be suprised as to what a lot of people run apache as, many a time you can just call up the .passwd file, then run a simple dictionary lookup on the hashes and get user passwords. So its generally a VERY VERY VERY BAD idea. a better one is to pass an id (like a number or somthing) and have a lookup table (an array if you like) that you address with the ID and the array determines which file you display.
Yeah, I wasn't really thinking when I posed that code. Maybe something like this would be better: PHP: <?php function cleanpath($path) { $pathout = ereg_replace("\.[\.]+", "", $path); $pathout = ereg_replace("^[\/]+", "", $pathout); $pathout = ereg_replace("^[A-Za-z][:\|][\/]?"", "", $path); return($pathout); } $id = $_GET['id']; $path = cleanpath($id); $path = "pages/" . $path; include($path); ?> Then link to www.yoursite.com/index.php?id=page.html and put page.html in "pages/" folder. That function keep people from doing things like www.yoursite.com/index.php?id=/etc/passwd or www.yoursite.com/index.php?id=../../logs/ or other such things.
I know this kind of repeats what TheAnimus already said, but my favorite way is: PHP: <?php $id=$_GET['ID']; if(is_number($_GET['ID'])){ /* Use a database connection to grab the file location or data from a database, based on the numeric ID passed through the query string */ } else { //Just pull the file/info for the home page } ?> Primarily because even with a little enhanced security, passing filenames through the query string (everything past the "?" in the URL) is a general bad idea. I know the first was a sample of how to use the basic $_GET[] feature, but I recently had a site that used a similar method and someone was able to go to mysite.com/file.php?file=http://link.to.their/malicious_script.php and add a few files to my site that I did not want there.
Whilst that file might be secure (I dont know - see below) I think you're missing the point a little. Effectively, it is just generally bad programming practise to have any kind of security hole in your code. Its worse to accept you have one but do nothing about it. Even if you have stopped them having access to your password file, they are still able to view any file. I don't know how secure PHP is in your environment but assume the following with open access: A hacker comes to your site and injects some script on the Id bit of your querystring. This saves a an executable file which he then invokes from his client..... scary thought!The above scenario is something called hijacking (or piggybacking) and used to be quite common in web sites that did not HTML encode their text responses (e.g. if you typed "javascript:alert('hacker!');" a page submit would execute that text! What Animus called attention to was the fact that whilst not as serious as above the details in your files are open to abuse. General Question about the PHP UNIX/ApacheSecurity Does the process in which your browser requests are running, have access to the _private folder? (If not how do they read it?) The logical inference being that by doing this nothing has actually changed? I'm interested to know! Stu
Yep, big security risk. I usually make it use an array or database to look up the ID and get the path for it from that. You could just do: http://mysite.com/index.php?id=/etc/passwd ..And you would/could be rooted. Edit: I learned this the hard way
I'll change the sig now, The thing is, all the files on my site are set up like this: _private folder www/ folder (this is where the web site parts of the webspace is kept) etc/ keeps ftp statistics and bandwidth use everything is the www folder is accesible anyway, and the server is set to only allow files to be created on fusion news, (ie text only) as you need admin permissions to create files. So even if they did use php to go into the private folder, as thats where the password is kept they couldnt access it I appreciate what you said about coding practises, but as its secure in its use, the practise is fine. When i do create databases and things in the www folder without password protection, i will stick to the rules and use them. but thanks for being so helpfull
quactaur, just post the url of the site when ur done, and hope that the first person here to get root, fixes ur problems.
