Jump to content

Checking array before show_source() of file.


Xeoncross

Recommended Posts

I am trying to create an array of the files that I will allow to show the source code of. These files will be in a multidimensional array and when someone asks my script to highlight a file (using a $_GET like "show_source.php?page=index.php") I will check to make sure that the file is in the array before I highlight the PHP code and show it to the user. Basically, I want to prevent something like "show_source.php?page=../db.php"

 

 

Here is what the array "$files" looks like:

 

Array
(
    [1] => Array
        (
            [level] => 1
            [name] => index.php
            [path] => /path/cms/
        )
    [2] => Array
        (
            [level] => 2
            [name] => functions.php
            [path] => /path/cms/functions/
        )
    [3] => Array
        (
            [level] => 3
            [name] => login.php
            [path] => /path/cms/admin/
        )
    [4] => Array
        (
            [level] => 3
            [name] => functions.php
            [path] => /path/cms/admin/
        )
}

 

I have tried something like this but I can't get it to work.

<?php

//NOTE: The list of ok files to highlight is called "$files".

//Lets make two files that a user could try to highlight.
$page = 'functions.php';
$page2 = 'sdkfjsdkfjdj.php';

if (!in_array($page2, $files)) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
} else {
        $content = highlight_file($page2, true);
}


print $content;
?>

I also tried something like this:

<?php

//The list of ok files to highlight is called "$files".
$page = 'functions.php';

//if (!in_array($page, $files)) {
if (array_search($page,$files) > -1) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
} else {
        $content = highlight_file($page, true);
}


print $content;
?>

 

How can I go through the multidimensional array of $files and make sure that the $page that the user wants highlighted is in fact a "safe" page in the array and not some kind of hacking attempt?

Part of the problem could be that this file

 

<?php

//NOTE: The list of ok files to highlight is called "$files".

//Lets make two files that a user could try to highlight.
$page = 'functions.php';
$page2 = 'sdkfjsdkfjdj.php';

if (!in_array($page2, $files)) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
    } else {
        $content = highlight_file($page2, true);
    }

}

print $content;
?>

 

Has a syntax error with the very last bracket. That is 1  bracket too many.

Thanks, but this has nothing to do with the grammar of the code as this is just a quick snippet I wrote up to show the problem. So feel free to ignore any of my bad typing ;)

 

The problem is I don't know how to get http://us.php.net/in_array or http://us.php.net/manual/en/function.array-search.php or http://us.php.net/manual/en/function.array-key-exists.php to check a multidimensional array for my value.

try

<?php
function my_in_arr($p) {
$a = Array(
    1 => Array('level' => 1, 'name' => 'index.php', 'path' => '/path/cms/'),
    	    2 => Array('level' => 2, 'name' => 'functions.php', 'path' => '/path/cms/functions/'),
    3 => Array('level' => 3, 'name' => 'login.php', 'path' => '/path/cms/admin/'),
    	    4 => Array('level' => 3, 'name' => 'functions.php', 'path' => '/path/cms/admin/'));
$out = false;
foreach ($a as $v) if ($v['name'] == $p) $out = true;
return $out;
}

$page = 'functions.php';
if(my_in_arr($page)) echo 'in array'; else echo 'not in array';
?>

Thanks sasa!  ;D

 

Actually, I was looking for the value in the first array (see code above) and that is why I couldn't find it! I needed to go down one level and then look for it...

 

<?php
$found = FALSE;
foreach ($files as $value) {
    if(is_array($value)) {
        if (array_search($page, $value)) {
            $found = TRUE;
        }
    }
}

if($found) { 
    $content = "<br /><hr /><br />We found the value!<br />". $content; 
    $content .= highlight_file($page, true);
}
?>

This works fine now.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.