PDA

View Full Version : Allow more than one page to be viewed



CBG
03-13-2010, 09:50 PM
Hi,

I have the below bit of code that is working fine, however I would like to change it, to allow more files to be viewed, like it does with /offline.php

This bit
if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {

I would like to allow /offline.php and /admin/offline.php and /admin/offlinemodify.php

How would I do this?

Red Leader
03-13-2010, 10:14 PM
if(in_array($_SERVER['PHP_SELF'], array('/offline.php', '/admin/offline.php', '/admin/offlinemodify.php')))

CBG
03-18-2010, 04:18 PM
That doesn't work for me.

Here is the full bit of current code and what each line does



if ($offline['status'] == 'offline') {
if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {
if ($offline['iporlogin'] == 'IP') {
$ip = $_SERVER['REMOTE_ADDR'];
if ($ip == $offline['ip1'] || $ip == $offline['ip2']) {
} else {
if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
}
} else {
$username = $_SESSION['UserName'];
if ($username == $offline['username']) {
} else {
if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
}
}
}
}



Line 1: Check to see if it is in Offline Mode

Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files)

Line 3-8: If offline is in IP Mode check IP

Line 9: Else if not in IP mode but is offline do Login code

Line 10-14: Login Mode check for user/pass access

Line 15-17: Closing Tags

MattF
03-18-2010, 04:49 PM
$pages = array(
'/offline.php',
'/online.php',
);

if (in_array($_SERVER['PHP_SELF'], $pages))

Fou-Lu
03-18-2010, 05:24 PM
The in_array is correct, its the result thats incorrect. strcmp returns 0 and only 0 on success, not failure.


if (!in_array($_SERVER['PHP_SELF'], $pages)) // Or embedded array, I'd use the variable like MattF has
{
.....


So the important part is the ! for the in_array, since the strcmp is only true on failure (where false === 0 and true != false in PHP). This will match the behaviour you currently have.

The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF'] (you may want to consider changing that btw, PHP_SELF is XSS exploitable), but the explaination you gave for this step is Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files). Which is it supposed to be?

CBG
03-18-2010, 06:21 PM
First thank you for all your help, it now seems to be working as I want it :D


The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF']
I was given that code on a forum after asking how to only allow everyone access to offline.php but not anywhere else, unless the IP matched.


you may want to consider changing that btw, PHP_SELF is XSS exploitable
What do you recommend I change it to?

Fou-Lu
03-18-2010, 07:03 PM
Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

CBG
03-18-2010, 11:49 PM
Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work :D

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

Fou-Lu
03-19-2010, 03:34 PM
I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work :D

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

Yes, but. $_SERVER is never guarenteed to exist, its up to the environment to create these. Apache, IIS and CLI so far I've been able to retrieve REQUEST_URI and SCRIPT_NAME on. Generally, I use SCRIPT_NAME, but offhand I cannot recall what pathing it takes (absolute from filesystem root, or absolute from webroot; I was pretty sure it was filesystem root, but if it works in you're code here, thats likely from document root).