...

View Full Version : Allow more than one page to be viewed



CBG
03-13-2010, 10:50 PM
Hi,

I have the below bit of code that is working fine, however I would like to change it, to allow more files to be viewed, like it does with /offline.php

This bit
if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {

I would like to allow /offline.php and /admin/offline.php and /admin/offlinemodify.php

How would I do this?

Red Leader
03-13-2010, 11:14 PM
if(in_array($_SERVER['PHP_SELF'], array('/offline.php', '/admin/offline.php', '/admin/offlinemodify.php')))

CBG
03-18-2010, 05:18 PM
That doesn't work for me.

Here is the full bit of current code and what each line does



if ($offline['status'] == 'offline') {
if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {
if ($offline['iporlogin'] == 'IP') {
$ip = $_SERVER['REMOTE_ADDR'];
if ($ip == $offline['ip1'] || $ip == $offline['ip2']) {
} else {
if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
}
} else {
$username = $_SESSION['UserName'];
if ($username == $offline['username']) {
} else {
if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
}
}
}
}



Line 1: Check to see if it is in Offline Mode

Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files)

Line 3-8: If offline is in IP Mode check IP

Line 9: Else if not in IP mode but is offline do Login code

Line 10-14: Login Mode check for user/pass access

Line 15-17: Closing Tags

MattF
03-18-2010, 05:49 PM
$pages = array(
'/offline.php',
'/online.php',
);

if (in_array($_SERVER['PHP_SELF'], $pages))

Fou-Lu
03-18-2010, 06:24 PM
The in_array is correct, its the result thats incorrect. strcmp returns 0 and only 0 on success, not failure.


if (!in_array($_SERVER['PHP_SELF'], $pages)) // Or embedded array, I'd use the variable like MattF has
{
.....


So the important part is the ! for the in_array, since the strcmp is only true on failure (where false === 0 and true != false in PHP). This will match the behaviour you currently have.

The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF'] (you may want to consider changing that btw, PHP_SELF is XSS exploitable), but the explaination you gave for this step is Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files). Which is it supposed to be?

CBG
03-18-2010, 07:21 PM
First thank you for all your help, it now seems to be working as I want it :D


The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF']
I was given that code on a forum after asking how to only allow everyone access to offline.php but not anywhere else, unless the IP matched.


you may want to consider changing that btw, PHP_SELF is XSS exploitable
What do you recommend I change it to?

Fou-Lu
03-18-2010, 08:03 PM
Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

CBG
03-19-2010, 12:49 AM
Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work :D

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

Fou-Lu
03-19-2010, 04:34 PM
I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work :D

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

Yes, but. $_SERVER is never guarenteed to exist, its up to the environment to create these. Apache, IIS and CLI so far I've been able to retrieve REQUEST_URI and SCRIPT_NAME on. Generally, I use SCRIPT_NAME, but offhand I cannot recall what pathing it takes (absolute from filesystem root, or absolute from webroot; I was pretty sure it was filesystem root, but if it works in you're code here, thats likely from document root).



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum