Allow more than one page to be viewed

[CBG]

Hi,

I have the below bit of code that is working fine, however I would like to change it, to allow more files to be viewed, like it does with /offline.php

This bit
if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {

I would like to allow /offline.php and /admin/offline.php and /admin/offlinemodify.php

How would I do this?

[Red Leader]

PHP Code:

if(in_array($_SERVER['PHP_SELF'], array('/offline.php', '/admin/offline.php', '/admin/offlinemodify.php'))) 


[CBG]

That doesn't work for me.

Here is the full bit of current code and what each line does

PHP Code:

if ($offline['status'] == 'offline') {
    if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {
        if ($offline['iporlogin'] == 'IP') {
            $ip = $_SERVER['REMOTE_ADDR'];
            if ($ip == $offline['ip1'] || $ip == $offline['ip2']) {
            } else {
                if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
            }
        } else {
            $username = $_SESSION['UserName'];
            if ($username == $offline['username']) {
            } else {
                if ( $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
            }
        }
    }
} 


Line 1: Check to see if it is in Offline Mode

Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files)

Line 3-8: If offline is in IP Mode check IP

Line 9: Else if not in IP mode but is offline do Login code

Line 10-14: Login Mode check for user/pass access

Line 15-17: Closing Tags

[MattF]

Code:

$pages = array(
    '/offline.php',
    '/online.php',
);

if (in_array($_SERVER['PHP_SELF'], $pages))

[Fou-Lu]

The in_array is correct, its the result thats incorrect. strcmp returns 0 and only 0 on success, not failure.

PHP Code:

if (!in_array($_SERVER['PHP_SELF'], $pages)) // Or embedded array, I'd use the variable like MattF has
{
..... 


So the important part is the ! for the in_array, since the strcmp is only true on failure (where false === 0 and true != false in PHP). This will match the behaviour you currently have.

The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF'] (you may want to consider changing that btw, PHP_SELF is XSS exploitable), but the explaination you gave for this step is Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files). Which is it supposed to be?

[CBG]

First thank you for all your help, it now seems to be working as I want it

Quote:

Originally Posted by Fou-Lu

The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF']

I was given that code on a forum after asking how to only allow everyone access to offline.php but not anywhere else, unless the IP matched.

Quote:

Originally Posted by Fou-Lu

you may want to consider changing that btw, PHP_SELF is XSS exploitable

What do you recommend I change it to?

[Fou-Lu]

Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

[CBG]

Quote:

Originally Posted by Fou-Lu

Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.

I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

[Fou-Lu]

Quote:

Originally Posted by CBG

I tried $_SERVER['REQUEST_URI'] but that didn't work.
So I tried $_SERVER['SCRIPT_NAME'] which did work

One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

Yes, but. $_SERVER is never guarenteed to exist, its up to the environment to create these. Apache, IIS and CLI so far I've been able to retrieve REQUEST_URI and SCRIPT_NAME on. Generally, I use SCRIPT_NAME, but offhand I cannot recall what pathing it takes (absolute from filesystem root, or absolute from webroot; I was pretty sure it was filesystem root, but if it works in you're code here, thats likely from document root).