Protecting page

[freelancer]

I want to protect my webpage so that you can't include any page by writing &xxx=123 to URL bar. It should be so that if someone is on index.php and if he/she writes to URL bar something like ?id=10&xx=20 then it won't include both things at one page. I found that file_exists() should help here but I don't get where I must put block with this. Here is my code:

<?php

$pages = array(
                'news'        => 'news.php',
                'articles'     => 'articles.php',
               
                'test123'     => 'team/test123.php',
              );
           
             if (isset($_GET['k']) && isset($pages[$_GET['k']]))
             if((strcmp($_GET['k'], 'team') == 0) && isset($_GET['id']))

{
}
        
        else
      {
        include($pages[$_GET['k']]);

      }	else {
        include($pages['news']);
             }

         if (isset($_GET['id']) && isset($pages[$_GET['id']]))
                {
                    include($pages[$_GET['id']]);
                }		


?>

 

I would like that it won't be like if you are at articles page for example and then you write to url index.php?k=articles?id=test123, it includes test123 page just above articles - I want it will show error like 'This page does not exist' for example.

 

Hope you understand,

Thank you

[scottybwoy]

What you can do is specify only an admin user to be able to run files in protected directories then have your index.php file to be located in an open directory, then have that to redirect users to your first page and have your other files being called within that script.  That doesn't even use php, but system security.  But it depends on your OS and Server

[chronister]

Here is a copy and pasted script I use for doing this exact thing.

<?php 
$includefile="$pages[$id]";
//using fopen to verify file. the third parameter triggers include_path search
$handle = fopen($includefile, "r", 1);
if ($handle) {
    fclose($handle);
    include ($includefile);
} else {
include($pages[notfound]);
}
		  ?>

 

This takes the $pages[$id] parameter and uses fopen to verify the file exists, if so it includes the file if not it includes a not found file.

 

 

[Psycho]

Actually I don't understand. It is your page, people cannot "include" another page by appending variables to your URL. I *think* you are trying to prevent users from entering variales into the URL which your page is configured to process, but which may not be valid variables. For instance index.php?k=articles?id=12345 may be valid, but index.php?k=articles?id=67890 is not. Is that correct?

 

Part of the problem is that the formatting of your code is not very structured and makes it difficult to see possible errors in the logic. When using multiple if/elses you should "nest" then such that you can see which ones are included as childs of others.

 

Looking at your code I cannot determine what the flow should be. I started to write something, but what you have just doesn't make sense to me. If you could explain, in detail, what you want to happen and what the k and id are supposed to represent, that would be helpful.

[chronister]

you don't have to worry about people including files in your pages by appending vars to the url, if you don't have an entry in your $pages array for the item appended to the url, then it will not include anything, but it will throw an error.

 

you do have to worry about the errors that you get when you try to include a file that don't exist. It may give people information about your paths and such that you don't want showing  the general public.

 

Thats why I use the script I posted above. If the file does not exist, then it includes a not found page.

 

If your id var is the one that determines the page, then something like this will do nothing.

 

http://yoursite.com?k=articles&id=123456&this_var=include_me&another_var=this_that

 

this_var and another_var will not do a thing. You would have to have $_GET[] superglobals to grab those and do something with them.

 

Regards

[freelancer]

I meant that if you enter correct value witch is at pages array, then it includes this above my page. I want to know is it possible to make it happen that way it won't show it, or error will be shown if you attempt it.

 

There are accutaly more arrays in my real code but I just removed them for forum. You can give a try -

 

My page:

http://www.team-kommando.com/web

 

Now you move to somewhere for example under 'results' - URL will be: http://www.team-kommando.com/web/index.php?k=results and now If I write there index.php?k=results&id=Cranx then it displays it there too.

[Psycho]

OK, so you need to create your code so it will only show one. As I said before, I could not follow the logic in the code above. I suggest you get out a piece of paper and create a flow chart to map out how that page should process.

 

Here is an example:

 

1. Verify if page has included k and/or id variables on the query string

2a. If no variables passed display an error and stop processing that script (except for closing the HTML)

2b. If there is a k AND an id variable decide which one the page will default to using. Then verify that the passed value is valid

3a. If the passed value is not valid display an error and stop processing the script

3b. If the value is valid show the appropriate content