...

View Full Version : Why No extension on filename?



thickandthin
11-17-2003, 01:22 PM
My site has this script below to have an index and pages, but I wanted it to be where the extensions are there like index.php?page=news.html not index.php?page=news because for the php pages that i have wont work like index.php?page=guestbook?page=whatever, so i need it to be index.php?page=guestbook.php?page=whatever... Anyyone understand?

<?php
if(empty($_GET['page']))
{
include("includes/news.html");
}
elseif(file_exists("includes/".$_GET['page'].".html"))
{
include("includes/".$_GET['page'].".html");
}
elseif(file_exists("includes/".$_GET['page'].".php"))
{
include("includes/".$_GET['page'].".php");
}
else
{
?>

bcarl314
11-17-2003, 05:45 PM
I vaguely understand what you want to do and will point out that the code you have is just begging for a hacker to exploit.

You should always clean your input before executing it.

thickandthin
11-17-2003, 09:40 PM
Right now, when I want to go on a page i do index.php?page=page

but i need it to be: index.php?page=page.html or .php so that it requires me to put in the extension

ReadMe.txt
11-17-2003, 10:22 PM
either name all your files .php, or set up your server to parse .html as php and name them all as .php, problem solved.

BTW carl, where's a hacker gonna exploit in that??

thickandthin
11-17-2003, 10:42 PM
what??

mordred
11-17-2003, 10:51 PM
Readme.txt, have you ever tried to put the null byte in the query string, hm? Most interesting effects occur in both file_exists and include - with the effect of enabling a cracker to fetch whatever file PHP may fetch from the filesystem. That's what I consider to be an exploit.

thickandthin, I think you need to be more descriptive with your last question. Besides, as others have said, your current solution is wide open and needs to be retailored. Put the file names you want to include into an array and use a telling name as the key. Pass this name through the query string, check if it exists as a key in your filenames array, and if so, include the filename associated with that key. Simple, easy to maintain, and secure.

thickandthin
11-17-2003, 11:02 PM
did i mention i didnt know php... lol my freind made it for me, basically all i need is instead of putting index.php?page=thepage i have to put the file ext like index.php?page=thepage.php

boeing747fp
11-17-2003, 11:08 PM
set up a redirect page like this sort of


<?php
if($_GET['page'] == "page1"){
header("location: page1.html");
}
if($_GET['page'] == "page2")}
header("location: page2.html");
}
?>

etc, etc... just change the page1 and page2 to actual pages.

thickandthin
11-17-2003, 11:30 PM
is that secure?

Len Whistler
11-18-2003, 12:50 AM
thickandthin....you should get a book on PHP and start with the basic stuff. Then progress to the more difficult PHP programing.

No matter what answers you get on this post you will not understand it.

Leonard Whistler
www.stubby.ca

Funkel
11-18-2003, 12:57 AM
switch (http://au2.php.net/switch) is good



switch ($page) {

case "members" :
include ('members_page.html');
break;

case "news" :
include ('news_page.html');
break;

case "downloads" :
include ('dl_page.html');
break;

default :
include ('news.html');
break;
};



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum