Loading Files by Self

[doubledee]

I am wrapping up testing all of my scripts before I go live with Release #2.

 

One test I was thinking of doing is loading each script - by itself - and making sure I don't get any errors.

 

For example, normally to display a User's Profile, you would click on a hyperlink like this...

 

/account/profile.php?user=$DoubleDee&tab=about-me

 

 

My "profile.php" was never designed to be loaded directly, but I am thinking it should be able to be loaded and at least not spew out any nasty error messages.

 

If you were a hacker, wouldn't that be a good approach to take to learn more about a system...

 

Navigate the website normally, take an inventory of every script's name, and then try and load those files directly and see what errors occur.

 

Any thoughts on this idea of mine?? 

 

Thanks,

 

 

Debbie

 

 

[scootstah]

I don't think there is much you can do to prevent errors in that scenario. There will obviously be uncontrollable errors if profile.php relies on constants or a database connection created in a script that include'd it.

 

What most CMS and frameworks do is check to make sure if the pages have been include'd or not by checking for a constant. For example in CodeIgniter, everything is routed through the index.php file (which is pretty common). The index.php file defines a BASEPATH constant, so all subsequent files in the framework check that the constant is defined, because that means it was not accessed directly but through the framework as expected.

 

Another thing you could do is use an .htaccess file to deny users from viewing those files.

[doubledee]

I don't think there is much you can do to prevent errors in that scenario. There will obviously be uncontrollable errors if profile.php relies on constants or a database connection created in a script that include'd it.

 

What most CMS and frameworks do is check to make sure if the pages have been include'd or not by checking for a constant. For example in CodeIgniter, everything is routed through the index.php file (which is pretty common). The index.php file defines a BASEPATH constant, so all subsequent files in the framework check that the constant is defined, because that means it was not accessed directly but through the framework as expected.

 

Well, since I am not using OOP or MVC this go around, do you have advice on what to do to combat this (beyond your advice below)?

 

I am being too paranoid here, or is this a security risk I need to actively address?

 

 

Another thing you could do is use an .htaccess file to deny users from viewing those files.

 

1.) What would be the implications of that?

 

 

2.) Would it affect performance?

 

 

3.) Could it break my scripts?

 

 

4.) Would it be a maintenance nightmare?

 

 

Debbie

 

 

[scootstah]

 

1.) What would be the implications of that?

 

 

2.) Would it affect performance?

 

 

3.) Could it break my scripts?

 

 

4.) Would it be a maintenance nightmare?

 

The answer to all of the above is: it depends how you have structured your application. If you have something like below then you can just deny the whole directory (if profile.php is include'd through index.php).

docroot/
    app/
        profile.php
        news.php

    index.php

 

If it looks more like below then it'll probably be slower and harder to maintain.

docroot/
index.php
profile.php
news.php

 

How is profile.php normally loaded?

[doubledee]

Here is a sample of how I have things structured in the Web Root...

 

index.php

 

/account

/account/profile.php

/account/log_in.php

/account/log_out.php

/account/my_account.php

and so on...

 

 

/articles

/articles/index.php

/articles/article.php

and so on...

 

 

/components

/components/header.inc.php

/components/footer.inc.php

and so on...

 

 

/utilities

/utilities/functions.php

 

 

Other Directores

 

 

I am using about as simple of a structure as you can.  Basically just like you would use in the old days when you just had HTML files and hyperlinks?!

 

I don't include much, usually just either my Config file, or maybe "functions.php" or any files in the Components directory.

 

 

Debbie

 

 

[scootstah]

So if you are directly loading the files anyway, I don't really understand what you are asking.

[doubledee]

So if you are directly loading the files anyway, I don't really understand what you are asking.

 

Well, to read an Article you need a query string in addition to the "article.php" file itself, e.g.

 

http://local.debbie/articles/consider-becoming-an-s-corporation

 

 

So if I just loaded "article.php" by itself I get...

 

Notice: Undefined variable: articleID in /Users/user1/Documents/DEV/++htdocs/06_Debbie/articles/article.php on line 278

Call Stack

 

 

Maybe that just means I did not properly do all of the Error-Handling I needed to?

 

I haven't tried loading all of my files directly, but the example above is what prompted this thread...

 

 

Debbie

 

 

[kicken]

Add checks to the pages to ensure the parameters you need are present.  If they are not, re-direct them somewhere that seems appropriate.  For example with your articles:

if (!isset($_GET['articleID'])){
    //header redirect 
    //to an article listing.
}

 

 

[scootstah]

So if you are directly loading the files anyway, I don't really understand what you are asking.

 

Well, to read an Article you need a query string in addition to the "article.php" file itself, e.g.

 

http://local.debbie/articles/consider-becoming-an-s-corporation

 

 

So if I just loaded "article.php" by itself I get...

 

Notice: Undefined variable: articleID in /Users/user1/Documents/DEV/++htdocs/06_Debbie/articles/article.php on line 278

Call Stack

 

 

Maybe that just means I did not properly do all of the Error-Handling I needed to?

 

I haven't tried loading all of my files directly, but the example above is what prompted this thread...

 

 

Debbie

 

 

 

Then it sounds like you just need to come up with some default behavior. For example if no article ID is available, maybe list all of the articles... or just redirect like kicken said.

[doubledee]

Then it sounds like you just need to come up with some default behavior. For example if no article ID is available, maybe list all of the articles... or just redirect like kicken said.

 

I just went though ALL of my scripts and tried them both Logged-In and Logged-Out.

 

I am happy to say that all of my scripts ran as expected (i.e. ran successfully or displayed an error-handling message), except the one file which had issues.  (Ironically, my "article.php" file was the only one with issues, yet the first one I tried?!  So freaked out and created this thread prematurely!  Whew!)

 

And it looks like the problem with 'article.php" can be fixed if I can just get some help in the MOD_REWRITE forum as I apparently accidentally deleted something my .htaccess file?!

 

Thanks,

 

 

Debbie

 

 

[haku]

You don't need to do anything with mod_rewrite or .htaccess. All you need to do is check if the variable exists before you use it.

 

So if you are going to use $_GET['some_variable'], then before you use it, you would check if it exists using isset():

 

if(isset($_GET['some_variable']))
{
  print htmlspecialchars($_GET['some_variable']);
}