Jump to content


Photo

simple CMS security


  • Please log in to reply
4 replies to this topic

#1 rossh

rossh
  • Members
  • PipPipPip
  • Advanced Member
  • 31 posts

Posted 18 October 2006 - 08:36 AM

Hi i have a simple CMS which i hope to implement in my site, however i have an issues with security and i was hoping someone could advise me on.

My current method of a simple CMS.  I have an index.php file which is my template.  in the content i have an include with a $page variable which i get from $_GET['page'].  I know there are security issues with using variables in an include and i have a function which can deal with user entering malicous data in the url:-

function checkPage($page){
          $page = $page;

if(eregi("^[a-z0-9\-_\/.]+$", $page, $regs)) //make sure $page is alphanumeric{
$dir = "content/"; //not strictly necessary, can be blank.
$ext = ".htm"; //.php, .html, .txt, whatever

if(file_exists($dir . $page . $ext)){
include($dir . $page . $ext); //or readfile if not expecting php code
}
else
echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>'; //or something similar
}
else
echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>';
}
}

I was wondering if someone could tell me if this is a good enough solution or if my CMS is going to be vulnerable and put the server at risk?  Is there a better solution, without using a third party product free or otherwise?

Thanks

Ross

#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 18 October 2006 - 08:46 AM

Just do this:
<?php
$pages = array( // GET var => file
		'page1' => 'page1.php',
		'page2' => 'page2.php',
		'home' => 'home.php',
	);

if(in_array($_GET['page'],$modules) && file_exists("pages/{$_GET['page']}"))
{
	// do stuff
}
else {
	echo "No such page";
}
?>


#3 rossh

rossh
  • Members
  • PipPipPip
  • Advanced Member
  • 31 posts

Posted 18 October 2006 - 09:06 AM

Thanks for getting back to me.  Isn't this a bit restrictive.  If i have a large number of pages i don't want to put them into an array each time?  Is this the only way to really be sure?

thanks

R

#4 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 18 October 2006 - 09:17 AM

You can create the array dynamically.
Imagine you have your page files called this: *page*.page.php

Then you could use this code to do it:
<?php
$dir = "files";
$modules = array();

$dh = opendir($dir);
while($file = readdir($dh))
{
	$module_name = explode('.',$file);
	if($module_name[count($module_name)-2] === 'page')
	{
		unset($module_name[count($module_name)-1]); unset($module_name[count($module_name)-1]);
		$modules[] = join('.',$module_name);
	}
}

$_GET['page'] = strtolower($_GET['page']);

if(in_array($_GET['page'],$modules))
{
	include "{$dir}/{$_GET['page']}.page.php";
}
else {
	echo "The page '{$_GET['page']}' do not exist.";
}
?>


#5 rossh

rossh
  • Members
  • PipPipPip
  • Advanced Member
  • 31 posts

Posted 18 October 2006 - 09:41 AM

Hi Thanks for this i'll give it a try!

Ross




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users