[PHP] PHP includes instead of Iframes

Mentor · 31-08-2005, 04:24 PM

Originally Posted by leaked

Bad way to go about it... A user could simply request ?page=../../etc/passwd and they could view it (UNIX)!
Make sure you put

PHP Code:


include('news.php');

as

PHP Code:


include('./path/to/news.php');

otherwise expect your box to be exploited!

How would that help someone all u would need to go back up a diecty is the ../

Heres the code I use on all of my websites, you should use it too (remember to change the array $pages).
If you have 50odd PHP pages you'll have a big *** PHP code, so heres a loop that will go through an array of pages and include them, also exploit safe.
'name' => './path/to/file', etc.
http://somesite.com/?i=name would load up path/to/file
You can change $GET['x'] accordingly ?x=name

PHP Code:


<?php

     $default = './i/news.php';

     $pages = array('about' => './i/about.php','servers' => './i/servers.php','services' => './i/services.php');

     if(array_key_exists($_GET['i'], $pages))

     {

        foreach($pages as $pageid => $pagename) {

        if($_GET['i'] == $pageid && file_exists($pagename))

        {

          include $pagename;

        }

        }

        } else {

          include $default;

        }

?>

interesting script, as my navigation works by takeing the name then adding an exstention, and a folder on to it, that woulnt work, athogh i may borrow a bit of the script and get the array from the directy commands "/

Chippiewill · 09-12-2007, 01:36 AM

I made an addition to the coding as I realised that to get the script to work well you would have to do redirecting junk...

Anyway I realised that the

PHP Code:


<?php 
if (!isset($page)) 
{ 
include("pages/home.php");   
?>

Part of the script was a bit annoying since it showed up all the time, so I removed it to:

PHP Code:


<?php 
if(file_exists($_GET['page'].".php")){ 
    include $_GET['page'].'.php';     
} 
if(file_exists($_GET['page'].".html")){ 
    include $_GET['page'].'.html'; 
} 
if(file_exists($_GET['page'].".txt")){ 
    include $_GET['page'].'.txt'; 
} 
elseif (isset($page) && !@include("$page")) 
             { 
             echo "Error Page not found!"; 
     }  
?>

Then create a file called .php (no file name just file type) and that is the default and it shows up when the

PHP Code:


$_GET['page'

Variable isnt set

Invent · 09-12-2007, 11:11 AM

Very insecure.

Beau · 13-12-2007, 10:22 AM

Insecure if one actually uses the code examples above to include filetypes other than PHP. If you limit it to PHP, it's fine. Webservers don't store sensitive information in PHP files. Users might, in the form of database connection scripts, however simply including a file such as this isn't going to achieve a great deal. To improve security further, you could make sure the file exists in the actual directory you are working in only, as oppose to the entire server.

Invent · 13-12-2007, 07:41 PM

as oppose to the entire server.

Or as oppose to any site on the internet really.

Beau · 14-12-2007, 04:55 AM

Originally Posted by Invent

Or as oppose to any site on the internet really.

I was under the assumption that you can't use direct URLs when including files (ie. http://www.example.com/example.php'), however I might be wrong. In any case, it would work in exactly the way file_get_contents does, ie it wouldn't retrieve the entire PHP source.

Black_Apalachi · 16-12-2007, 10:09 PM

Omg my brain hurts.

You know, if one of you boffons created a website making programme that let you do *EVERYTHING* from the editor view rather than the HTML view, and it still worked fine, you'd be so rich that the Queen would be freiend requesting you and asking for free Thrones :rolleyes:.

Chippiewill · 20-12-2007, 04:15 PM

Originally Posted by Beau

I was under the assumption that you can't use direct URLs when including files (ie. http://www.example.com/example.php'), however I might be wrong. In any case, it would work in exactly the way file_get_contents does, ie it wouldn't retrieve the entire PHP source.

Hmm well my theory is:

When you put an includes for a URL like: /content/content.php

It then converts it to something like

\www\public_html\content\content.php

so you cant include out of the www folder because the server would need to know the server side code to parse so if you did request

http://whatisit.com/content/content.php

when it converts it goes

\www\http://whatisit.com\content\content.php

(roughly speaking of course)

Also i think the server works faster when you include it like

\www\public_html\content\content.php

anyway as it doesnt need to convert

nad · 25-05-2009, 12:10 PM

Hi,i tried the 2 code bu it doesn´t work nad if it does it also appear the initial page.help

Invent · 04-06-2009, 01:48 PM

Originally Posted by 00chips

Hmm well my theory is:

When you put an includes for a URL like: /content/content.php

It then converts it to something like

\www\public_html\content\content.php

so you cant include out of the www folder because the server would need to know the server side code to parse so if you did request

http://whatisit.com/content/content.php

when it converts it goes

\www\http://whatisit.com\content\content.php

(roughly speaking of course)

Also i think the server works faster when you include it like

\www\public_html\content\content.php

anyway as it doesnt need to convert

If allow_furl_open is enabled, you can call include(), include_once(), require() and require_once() on remote URLs.

And I'm pretty sure it doesn't really work faster if you provide the absolute file path - but I may be wrong.

Thread: [PHP] PHP includes instead of Iframes

Thread Tools

Help

Posting Permissions