Help with PHP Include

[onimusha8666]

This is an include code a friend wrote for me for my website:

 

?php
$id = $_GET['id']; // Page requested
if(strstr($id,"..") != FALSE) {
include("blocked.html"); // Give them an error message
} else {
include($id);
}
?>

 

This code does not seem to be very secure as people can easily run remote websites and scripts through my site (ie by typing ...php?id=http://website.com ).  I was wondering if maybe someone could show me a more secure include since I am having trouble finding one that works.  Also, if there are better methods of similiar functions as this code, please enlighten me @_@.  Thanks in advance (sorry for my noobness but I really don't know PHP  :'( ).

[obsidian]

One of the best ways is to simply have a list of acceptable include files to match against. This probably requires the least amount of recoding:

<?php
$allowed = array('home.php', 'about.php', 'contact.php');
if (isset($_GET['id'])) {
  if (in_array($_GET['id'], $allowed)) {
    // It's trusted, so include it
    include($_GET['id']);
  }
}
?>

 

This is still not the best way, but it's a heck of a lot more secure than what you currently have.

[onimusha8666]

thanks a bunch ill try it

[HaLo2FrEeEk]

Most site hosts don't allow url access in include and stuff like that, for this reason exactly.  Some do though.

[Fergusfer]

This is an include code a friend wrote for me for my website:

 

?php
$id = $_GET['id']; // Page requested
if(strstr($id,"..") != FALSE) {
include("blocked.html"); // Give them an error message
} else {
include($id);
}
?>

 

This code does not seem to be very secure [...]

 

There's an understatement.  Do you (or your host) have open_basedir restriction in effect?  Simply disallowing ".." in the path does not prevent someone from going above your document root.  It's difficult to propose an ideal solution without knowing more about what you're trying to do.  You could, for example, create a table in a database, or even an array, and correlate allowed pages to an integer ID, which would give you total control over what's being loaded.

 

At the very least, you should strongly consider disallowing "..", "/" and all URLs.  Removing "/" precludes you from using include() to load files from subdirectories, though.

 

You could use this for example:

 

<?php
$strippedId = str_replace(array('://', '/', '..'), '', $_GET['id']);

// this checks to see if an illegal value was stripped; it asks if the output of str_replace() changed
if ($strippedId != $_GET['id'])
    include("blocked.html"); // Give them an error message
else
    include($strippedId);
?>

 

You could also consider prefacing the arguments to include() with your document root:

 

include($_SERVER['DOCUMENT_ROOT'] . $strippedId);

 

Thanks in advance (sorry for my noobness but I really don't know PHP  :'( ).

 

No offence, but neither does your friend.  He knows enough to be dangerous.

[onimusha8666]

Thanks, Fergus, for the code.  I tried yours too and it seems to be a lot more convienient then creating a list of allowed web pages.

 

My trouble are thus: until I find the time to really sit down and teach myself PHP, my knowledge only extends to HTML and only knowing enough just to manipulate PHP rather than write it myself.

 

What I am really trying to do is create a convenient way to code my site so I can easily manage pages and have a code that places the content where I want it to appear in my layout.  The php include codes like these are the only methods I really know of without using some kind of third party script or program to manage things.

 

The PHP you guys have given me seems perfectly sufficient imo and does exactly what I want but maybe there is a better way?  When I say better I really mean more secure.  Obviously my knowledge is limited as I have been coding websites pretty much the same exact way since 6th grade (im a senior in HS now) and I figure the easiest way to find out how things should be done is to just ask the experts.  Thanks for the help so far but your doing this noob a great favor <3.

 

Thanks in advance (sorry for my noobness but I really don't know PHP

 

No offence, but neither does your friend.  He knows enough to be dangerous.

 

I think saying he was my friend might have been an overstatement. =P