...

View Full Version : switch :: case :: break



SDP2006
09-17-2003, 01:21 AM
I'm using this method. It is too large to put in this thread, so I have attached it. View the image first, then look at my code and repost here. Thanks for your help!!!

Spookster
09-17-2003, 01:37 AM
And your question is?

SDP2006
09-17-2003, 01:38 AM
My question is in the attached file.....

Spookster
09-17-2003, 01:57 AM
and what if I don't wanna look in the attached file for the question? Hmmmm? :p


You should post the question in the post so people can see what the question is and figure out if they can help without having to download the file and then unzip it.

SDP2006
09-17-2003, 02:34 AM
Heres my question.

I have code that is in the attached file....

It is using a switch and then case break. Which works like
http://mydomain.com/category.php?cat=home

which includes the file /includes/home.html

My code is not working so If you would, analyze it and tell me what is wrong with it. Thanks. The code is in the attachment of my very first post. Thanks very much for everyones help :)

firepages
09-17-2003, 05:25 AM
the issue is probably the fact that you have the default : case first , it should come last after everything else.

but aside from that , save yourself some code and ...



<?
$file = '/home/user/public_html/includes/' . $_GET['cat'] . '.html' ;
if( file_exists( $file ) ){
include $file ;
}
?>

SDP2006
09-17-2003, 01:41 PM
Firepages, could you tell me what that code does? Like in line by line process?

Thanks

firepages
09-17-2003, 02:24 PM
...


<?
/*
build a path to the file you want to grab based on your $_GET['cat'] variable eg if blah.com?cat=yaks
then $file translates to
'/home/user/public_html/includes/yaks.html'
*/

$file = '/home/user/public_html/includes/' . $_GET['cat'] . '.html' ;

/*
see if yaks.html actually exists
*/

if( file_exists( $file ) ){

/*
if it does include it
*/

include $file ;
}else{

/*
else include a default or sorry page
*/

include '/home/user/public_html/includes/sorry.html' ;

}
?>

SDP2006
09-17-2003, 09:53 PM
Thanks for the code!

So I changed my file to this


<?php
$file = '/home/user/public_html/includes/' . $_GET['cat'] . '.html' ;
if( file_exists( $file ) ){
include $file ;
}
else{
include '/home/user/public_html/includes/sorry.html' ;
}
?>


and I get this error


Warning: SAFE MODE Restriction in effect. The script whose uid is 10323 is not allowed to access /home owned by uid 0 in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 3

Warning: Unable to access /home/user/public_html/includes/sorry.html in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7

Warning: Failed opening '/home/user/public_html/includes/sorry.html' for inclusion (include_path='.:/usr/local/psa/apache/lib/php') in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7


Whats up?

Nightfire
09-17-2003, 10:02 PM
You don't have home/user/public_html

Your server is set up as /usr/local/psa/home/vhosts/net-riches.com/httpdocs/

Reading the errors are helpful ;)

Just change delete the /home/user/public_html and point to the include files like you would in your normal way.

SDP2006
09-17-2003, 10:26 PM
Thanks, that compressed some of my errors.

Now I get this


Warning: open_basedir restriction in effect. File is in wrong directory in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7

Warning: Failed opening 'includes/sorry.html' for inclusion (include_path='.:/usr/local/psa/apache/lib/php') in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7

with this PHP


<?php
$file = 'includes/' . $_GET['cat'] . '.html' ;
if( file_exists( $file ) ){
include $file ;
}
else{
include 'includes/sorry.html' ;
}
?>

Acecool
09-17-2003, 11:19 PM
try using ./includes/

SDP2006
09-17-2003, 11:29 PM
Thanks acecool, but that didn't work....still getting


Warning: Unable to access ./includes/sorry.html in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7

Warning: Failed opening './includes/sorry.html' for inclusion (include_path='.:/usr/local/psa/apache/lib/php') in /usr/local/psa/home/vhosts/net-riches.com/httpdocs/includes/category.php on line 7

Firepages, Spookster, Nightfire??? Know my problem??

mordred
09-18-2003, 12:00 AM
Your script is located in includes/category.php. Apparently you just haven't got a directory named 'includes' in that directory, that's where your error comes from. Does it work if you just include 'sorry.html'?

And now to something completely different: Don't let this script run on your webhost as it is now. It's a security hole. Anyone can pass an arbitrary path to a file which will be included and, depending on the nature of the file, eventually sent to the browser. That's probably not what you had in my mind, but you're opening doors for an attacker quite wide. You need to clean the path string from unwanted chars like ../, . and the like. Or use an array as a lookup table in which all alllowed paths are stored.

SDP2006
09-18-2003, 03:51 AM
Well, I don't think that matters. I got my script running correctly and thats all that I care about.....

mordred
09-18-2003, 11:55 AM
Originally posted by SDP2006
Well, I don't think that matters. I got my script running correctly and thats all that I care about.....

Interesting attitude and a strange way to say "thanks". :rolleyes:

Next time I'll keep my mouth shut if I see a security flaw in your scripts.

SDP2006
09-18-2003, 01:41 PM
This script isn't going to be running on some Corporate Bank Company or whatever....

firepages
09-18-2003, 04:11 PM
as the '.html' is appended to the end of the filename I doubt that one could grab anything sensitve by tainting the data in this case ? (happy to be shown otherwise) though I would always recommend using the absolute path if at all possible.

However Mordred is still right on 2 points

1) that you need to be careful with / wary of any data that you have no control over (eg $_GET,$_POST vars etc)

& 2) that the manner of your last post really is unlikely to encourage anyone to offer advice the next time you ask a question ?

btw.. that a script is not going to be running any sensitive data is not entirely the point , the idea is to get it right regardless , thus protecting your server and all the other users on it and more importantly making writing secure scripts second nature rather than an afterthought ( something I am frequently guilty of ) so its a very relevant point.

mordred
09-18-2003, 07:50 PM
You're right firepages, I missed the part with the appended .html string, and admit that I jumped to fast to conclusions, sorry about stirring things up. It's as if I've got a huge red "danger" sign infront of my eyes whenever I see unsanitized GET variables used in file system paths. :o

The code in question should be relatively safe - I say relatively because I can't absolutely say there is no flaw in it. I'd just settle for cleaning up the string and/or using the mentioned lookup table.

Stevie, I really don't understand your reaction. I did not propose that you should immediately spend lots of money for HBCI banking, I just pointed out a weakness of the approach you used. Perhaps you think security is not an issue for your application (though I wonder why you asked for a safe login method (http://www.codingforums.com/showthread.php?s=&threadid=25545) then? :confused: ), but others who followed this thread might have different opinions about that and should now be at least informed of the risks.

As I said, no harm done, but the eventual discussion about the security of a certain script is IMO absolutely justified.
Ok?. :)

raf
09-18-2003, 08:32 PM
mordred is absolutely rigth.

All values you pull from the querystring needs to be very carefully evaluated.
http://tiberi.us/view_article.aspx?article_id=35

or read some real articles on XSS
http://www.cgisecurity.com/articles/xss-faq.shtml
http://httpd.apache.org/info/css-security/
http://www.perl.com/pub/a/2002/02/20/css.html

I don't know if the .html makes it all that more secure. I wonder what would happen if my injection ends with "; //"

SDP2006
09-18-2003, 10:07 PM
Originally posted by mordred
....admit that I jumped to fast to conclusions, sorry about stirring things up. It's as if I've got a huge red "danger" sign infront of my eyes whenever I see unsanitized GET variables used in file system paths. :o


No problem mordred. Thank you for your help. Just to let you know, all these files include is a list of links, that I have that pertain to a certain category, nothing that anybody else wouldn't be seeing.

SDP2006
09-24-2003, 03:27 AM
Just got a call from my hosting people....

They tell me I am running a script that is taking up so much resources that it is about to bring down the server. Could this script do that?


<?php

$file = 'includes/' . $_GET['cat'] . '.html' ;

if( file_exists( $file ) ){

include $file ;

}

else{

include 'includes/sorry.html' ;

}

?>

firepages
09-24-2003, 04:12 AM
no , simple includes would not scratch the surface of the web-server , thats not the issue.

SDP2006
09-24-2003, 01:30 PM
They found my probem overnight. What I was doing is this


<?php
$file = "http://www.net-riches.com/viewblog.php";
include($file);
?>

They said that was creating an infinte loop of that file. I was running it from a subdomain (blog.net-riches.com)

Thanks for the help.

ReadMe.txt
09-28-2003, 08:16 PM
can u tell us the exact path of ur include file, and the path that you have in your script.

SDP2006
09-28-2003, 08:39 PM
My problem was fixed. What I was doing was including index.php inside of index.php and that was creating an infinite loop of that script which would go on and on and on and on until the server went down or stop was hit on the browser.

firepages
09-29-2003, 06:44 AM
Originally posted by firepages
no , simple includes would not scratch the surface of the web-server , thats not the issue.

lol ok I will add to that ..." ..unless you are creating an infinate loop" :D



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum