redarrow Posted January 11, 2009 Share Posted January 11, 2009 why does this code not work please. There both equal as safe url even theo there not. <?php //if there any ? afther the .php url throw a error. if((preg_match("#[\/a-z]\.(php?)[a-z\=\&]#",$_SERVER['PHP_SELF']))){ echo HACKED; // if there a stright .php throw a error of safe. }elseif((preg_match("#[\/a-z]\.(php)#",$_SERVER['PHP_SELF']))){ echo SAFE; } ?> as you can see from here , They both echo the statement's tried the exit command dosent work properly they clash as if there both correct NOT TRUE. <?php if((preg_match("#[\/a-z]\.(php?)[a-z\=\&]#",$_SERVER['PHP_SELF']))){ echo HACKED; } if((preg_match("#[\/a-z]\.(php)#",$_SERVER['PHP_SELF']))){ echo SAFE; } ?> Quote Link to comment Share on other sites More sharing options...
corbin Posted January 11, 2009 Share Posted January 11, 2009 And what two URLs are you using? Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 11, 2009 Author Share Posted January 11, 2009 I am using the core url. so i goto the web page of http;//www.google.com/mypage.php and php_self get mypage.php and the code should see if any think go after ? or not so in the browser if i add a ? to the url should get the error if not added should get safe. in thory. http;//www.google.com/mypage.php? the code is being used as it is there no think set relying on a user adding a ? to the url Quote Link to comment Share on other sites More sharing options...
Lamez Posted January 11, 2009 Share Posted January 11, 2009 what is it suppose to check if there is no query string? Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 11, 2009 Author Share Posted January 11, 2009 Manual way dosent work. hack.php page name. <?php //if there any ? afther the .php url throw a error. if("/hack.php"==$_SERVER['PHP_SELF']){ echo SAFE; }elseif("/hack.php?"==$_SERVER['PHP_SELF'].'?'){ echo HACKED; } ?> Quote Link to comment Share on other sites More sharing options...
corbin Posted January 11, 2009 Share Posted January 11, 2009 You could just check $_SERVER['QUERY_STRING']. Why do you care if people tamper with the URL, though? Also, if((preg_match("#[\/a-z]\.(php?)[a-z\=\&]#",$_SERVER['PHP_SELF']))){ is entirely wrong. In that context, the ? would make the p in php optional (the last p). You would want to use: if((preg_match("#[\/a-z]\.(php)\?[a-z\=\&]#",$_SERVER['PHP_SELF']))){ Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 11, 2009 Author Share Posted January 11, 2009 This was the only way cheers much easier. <?php if($_SERVER['QUERY_STRING']){ echo hacked; }else{ echo safe; } ?> I got a new book, And according to the new book, as from php6, it recommended to always cheek the query string has not got any alteration to it. it also shows ways to hack a database using mysql throw a unprotected query string while your a logged in user to any web site. So i had to do something knowing that but thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.