phpInclude Help

Luke · 05-05-2010, 07:36 PM

Right. I don't really want to change the script, because, it also sets the title of the box

PHP Code:


ontenttitle" class="title">
           <?php
           
           if(!$_GET['page']) {
          echo "WELCOME TO JETENGLAND!";
           }
           elseif($_GET['page']) {
               if($_GET['subpage']) {
                   $page_name = str_replace("_", " ", $_GET['page']);
                   $subpage_name = str_replace("_", " ",$_GET['subpage']);
               echo strtoupper($page_name." - ".$subpage_name);
               }
               elseif(!$_GET['subpage']) {
                   if($_GET['page'] == "ADMINISTRATIONCENTRE")
                   {
                        echo strtoupper("ADMINISTRATION CENTRE");
                   }
                   else
                   {
                   echo strtoupper($_GET['page']);
                   }
               }
           }
          ?>

So, instead of getting rid of this, how could i use .htaccess so /page/$1/$2 = ?page=$1&subpage=$2
I tried it, but it wouldn't work :/

Luke

Agnostic Bear · 05-05-2010, 07:37 PM

Originally Posted by Apolva

While it may stop you leaving your /www/ dir, you can still read "secret" files used by other scripts, plus files which usually need .htaccess authentication.

That's a design error, you shouldn't include protected files in a directory with dynamic inputs.

Apolva · 05-05-2010, 07:45 PM

Originally Posted by Jewish Bear

That's a design error, you shouldn't include protected files in a directory with dynamic inputs.

@Jwish Bear - What I'm saying is, /protected/ could be accessed through the exploit when it would usually require some kind of authentication.
Better to just fix the script, rather than relying on a safety net.

@LukeBateson, look into mod_rewrite here. Some knowledge of regular expressions might come in handy.

~~Blob~~ · 05-05-2010, 07:58 PM

Just ignore my working script then :S?

Luke · 05-05-2010, 08:04 PM

Originally Posted by Blob

Just ignore my working script then :S?

Sorry Blob, but again, it's because of the title defining i prefer the "page" "subpage" script. Didn't mean to ignore it

MattFr · 05-05-2010, 08:56 PM

Originally Posted by Jewish Bear

That's a design error, you shouldn't include protected files in a directory with dynamic inputs.

Stop arguing for the sake of arguing. The point is, it could (easily) be exploited, so why take the risk? It's quick and easy to make it secure, so there is no reason what so ever for not doing it.

Agnostic Bear · 05-05-2010, 09:25 PM

if you're really that paranoid, use this:

PHP Code:


$page = preg_replace( '#([^a-zA-Z0-9_-]+)#', '', $_GET[ 'page' ] );

Thread: phpInclude Help

Thread Tools

Posting Permissions