mrruben5
07-09-2005, 02:38 PM
I have the following script:
<?php
$number='13'; //for cutenews news number
if ( isset($_GET['page']) ) {
$page = $_GET['page']; }
else {
$page='cutenews/show_news.php';
};
if ( stristr($page, "://") || stristr($page, "../") ) // ../ means "Parent directory", can be used to evade the "pages/" prefix. :// is a combo of http:// and ftp:// you wanted to check.
{
echo("Go away *******! This script is secured!");
return 0; // terminates output.
}
if (file_exists($page))
{
include($page);
}
else
{
include('404.html');
};
?>
I have this on my index.php in the root of my domain.
The problem is that I have subdomains, so if a user specifies a directory, it includes from that directory. But I have files in subdirs I want to be able to show, so I can't knock it if there's a slash in the page _GET.
I was thinking of making an array of not allowed subdomains, explode the _GET on /, and use some sort of array function to check if the first part of the explode iis in one of the array item's.
Can anyone help me with that?
<?php
$number='13'; //for cutenews news number
if ( isset($_GET['page']) ) {
$page = $_GET['page']; }
else {
$page='cutenews/show_news.php';
};
if ( stristr($page, "://") || stristr($page, "../") ) // ../ means "Parent directory", can be used to evade the "pages/" prefix. :// is a combo of http:// and ftp:// you wanted to check.
{
echo("Go away *******! This script is secured!");
return 0; // terminates output.
}
if (file_exists($page))
{
include($page);
}
else
{
include('404.html');
};
?>
I have this on my index.php in the root of my domain.
The problem is that I have subdomains, so if a user specifies a directory, it includes from that directory. But I have files in subdirs I want to be able to show, so I can't knock it if there's a slash in the page _GET.
I was thinking of making an array of not allowed subdomains, explode the _GET on /, and use some sort of array function to check if the first part of the explode iis in one of the array item's.
Can anyone help me with that?