[How-To] PHP Security

kiwi said:
could they not write their own encyption? for example a simple ROT-13 would leave the password unreadable if database access was gained. obviously, they would use a cyper that's a little harder to break :p


If they used base64 it'd be even more unreadable, but just as easy to "crack".
 
Hi

I use a script for my pages on my site
Basically if a user was to click a link for e.g. page 3 then he/she would be taken to index.php?page=3
Now, I read the guide and it said that this is unsafe.
But thats not the case with mine... unless i'm wrong.
At the end I tried putting index.php?page=http://www.xoopiter.com/forums/index
I didn't put the extension on because the script adds it automatically.
Now when I run that it just gives a PHP error and doesn't do anything.

So this script is safe if you are a person that wants to use this nice little script.
Here's the code:

Code:
<? if($page) { include("pages/$page.php"); } else { include("pages/pagenumber.php"); } ?>

So here's how you use it:

You put the code in your index file ON ITS OWN.
Then when you load the page then it will look in the file pages/pagenumber.php and display it on the index page, so you set the bit pages/pagenumber.php to point to where your index file is.

e.g.

files/index.php

Now that you have done that your index page will display on the page with that coding in it.
Now you see the directory/$page.php bit - that tells it where to be looking for the file you specify.
So this would basically read from /directory and then display the page:

e.g.
index.php?page=news

That URL would then display the file news.php from /directory.


Okay, now to change the 'page' bit you have to change these:

Code:
<? if($file) { include("directory/$file.php"); } else { include("pages/pagenumber.php"); } ?>

See how I have changed the $page at the start and the $page.php in the middle.

Now the code just above would allow you to access the file directory/filefile.php by typing in index.php?file=filefile

_________________________________________________________

So basically, based on the first code i provided, you would just need to change the $page bit and the $page.php bit to have something else other than index.php?page=
The { include("pages/$page.php"); } bit just tells the php code where to look for the file you type in after the equals
for example:
index.php?page=file1
That would load file1.php from the 'pages' directory.



I hope you can understand what to do for this script.
If you need any further help then please contact me through one of these:

MSN: [email protected] (signed in 24/7 unless im in game)
Yahoo: nykampcw (signed in most of the time)
Email: [email protected] (checked daily)

Cheers

Craig.
 
Last edited:
If people insist on using the oh-so inferior ?page=* method, then here's a script that isn't like a colander.

Code:
<?php

// Name your content files with this extension,
// and pass the page without the extension
// Example: content in page1.inc.php, url will be
// thisfile.php?page=page1
$extension = '.inc.php';

// Strip HTML
$page = strip_tags($_GET['page']);
// Strip double full stops to stop people navigating outside the current directory
$page = str_replace('..', '', $page);
// Strip any characters that aren't word characters, -, _ or . for a number of reasons
$page = preg_replace('|[^\w-_\.]|', '', $page);

if(file_exists(dirname(__FILE__).'/'.$page.$extension)) {
	
	include $page.$extension;
	
} else {
	
	include 'default'.$extension;
	
}

?>
 
Last edited:
robmiller said:
If people insist on using the oh-so inferior ?page=* method, then here's a script that isn't like a colander.

Code:
snip

I quite agree, I'd stretch as far as using ForceType, to make neat search engine friendly URLs (plus slightly disguising PHP being the force behind the pages). But for anything else seperate php files which keep to a specific function.
 
robmiller:
That doesn't do a includes thing to show a page on the index file itself does it?
Anyways, that script I gave doesn't allow people to navigate outside the directory ;)
 
Craig321 said:
What's that ment to do :p?
Does nothing ;)

Recursively includes itself. The script you posted is vunerable to it. Maybe not on your server but it will most likely be anywhere else.

But shall we have some fun with your PHP on planet uploads? ;)

So here we go:

http://www.planetuploads.com/index.php?page=blah

Nice errors, so we know where "pages" are kept.
Lets go directly to one of the pages

http://www.planetuploads.com/pages/1.php

I could use the errors on the page to see what other information I can find from the other included files... But wait I don't need to, the script is stuck in a loop saying:
Warning: feof(): supplied argument is not a valid stream resource in /home/nykampm/public_html/cnupload/pages/1.php on line 44

Warning: fgets(): supplied argument is not a valid stream resource in /home/nykampm/public_html/cnupload/pages/1.php on line 45

over and over.

:)

Kinda underlines why using a ?page=x thing is a bad idea. :)
 
Craig321 said:
robmiller:
That doesn't do a includes thing to show a page on the index file itself does it?
Anyways, that script I gave doesn't allow people to navigate outside the directory ;)


Yes, yes it does.

Your script doesn't have any error checking, relies on register_globals being on and does allow people to go out of the directory. Accessing "/etc/../usr/bin" is just the same as accessing "/usr/bin".
 
Last edited:
Seeing as I'm not exactly an expert, how's this for security? :p
Code:
<?php
/************************* INCLUDE PAGE ***********************/

	$pages = array (
		"home" => "home.php",
		"news" => "news.php",
		"news_archive" => "news_archive.php",
		"gallery" => "gallery.php",
		"movie" => "movie.php",
		"downloads" => "downloads.php",
		"team" => "team.php",
		"stats" => "stats.php",
		"contact" => "contact.php",
		"movie" => "movie.php",
		"admin" => "admin_login.php",
		"mail_confirm" => "mail_confirm.php",
		"mail_result" => "mail_result.php",
	);
	
	$path = strip_tags ($_GET['path']);
	$page = strip_tags ($_GET['page']);
	$include = "pages/";
				
	if (!$page) {
		$include .= "news.php";
		$self = $_SERVER['PHP_SELF']."?page=news";
	}
	elseif (array_key_exists ($page, $pages) AND !file_exists ($include.$pages[$page])) {
		$include .= "construction.php";
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	elseif (!array_key_exists ($page, $pages)) {
		$include .= "not_found.php";
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	else {
		$include .= $pages[$page];
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	
	if (file_exists ($include)) {
		include ($include);
	}

?>
 
robmiller said:
Looks ok, but you don't need to define $self, seen as what you're defining it to will just be the same as $_SERVER['REQUEST_URI'] anyway :)
So is it unsafe????
Or weren't you on abut the script I have?
 
Rob, please can you email me an example of how they could get out of the directory
Not here cause someone might wanna use it :(
Thanks.
(Email in trust)
 
clogiccraigm said:
Is phpInfo(); dangerous?


It's not dangerous per se, but it's a good idea to keep info pages hidden, just in case they reveal server versions and whatnot which could be clues as to what the server is vulnerable to etc :)
 
Craig321 said:
Rob, please can you email me an example of how they could get out of the directory
Not here cause someone might wanna use it :(
Thanks.
(Email in trust)


index.php?page=../../../../etc/passwd

Would display all your server's usernames and information, for example (if you're on Linux, that is). If you're on Windows, I'm sure you could do some other crazy things.

You're also vulnerable to, like Ben said, the infinite including of itself by passing it a relative path of itself - if "pages" is a subdirectory of the directory index.php is in, then you just need to go to index.php?page=../index.
 
Back
Top Bottom