Jump to content

Archived

This topic is now archived and is closed to further replies.

rossh

simple CMS security

Recommended Posts

Hi i have a simple CMS which i hope to implement in my site, however i have an issues with security and i was hoping someone could advise me on.

My current method of a simple CMS.  I have an index.php file which is my template.  in the content i have an include with a $page variable which i get from $_GET['page'].  I know there are security issues with using variables in an include and i have a function which can deal with user entering malicous data in the url:-

function checkPage($page){
          $page = $page;

if(eregi("^[a-z0-9\-_\/.]+$", $page, $regs)) //make sure $page is alphanumeric{
$dir = "content/"; //not strictly necessary, can be blank.
$ext = ".htm"; //.php, .html, .txt, whatever

if(file_exists($dir . $page . $ext)){
include($dir . $page . $ext); //or readfile if not expecting php code
}
else
echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>'; //or something similar
}
else
echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>';
}
}

I was wondering if someone could tell me if this is a good enough solution or if my CMS is going to be vulnerable and put the server at risk?  Is there a better solution, without using a third party product free or otherwise?

Thanks

Ross

Share this post


Link to post
Share on other sites
Just do this: [code]<?php
$pages = array( // GET var => file
'page1' => 'page1.php',
'page2' => 'page2.php',
'home' => 'home.php',
);

if(in_array($_GET['page'],$modules) && file_exists("pages/{$_GET['page']}"))
{
// do stuff
}
else {
echo "No such page";
}
?>[/code]

Share this post


Link to post
Share on other sites
Thanks for getting back to me.  Isn't this a bit restrictive.  If i have a large number of pages i don't want to put them into an array each time?  Is this the only way to really be sure?

thanks

R

Share this post


Link to post
Share on other sites
You can create the array dynamically.
Imagine you have your page files called this: *page*.page.php

Then you could use this code to do it: [code]<?php
$dir = "files";
$modules = array();

$dh = opendir($dir);
while($file = readdir($dh))
{
$module_name = explode('.',$file);
if($module_name[count($module_name)-2] === 'page')
{
unset($module_name[count($module_name)-1]); unset($module_name[count($module_name)-1]);
$modules[] = join('.',$module_name);
}
}

$_GET['page'] = strtolower($_GET['page']);

if(in_array($_GET['page'],$modules))
{
include "{$dir}/{$_GET['page']}.page.php";
}
else {
echo "The page '{$_GET['page']}' do not exist.";
}
?>[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.