Jump to content

Recommended Posts

I am trying to create an array of the files that I will allow to show the source code of. These files will be in a multidimensional array and when someone asks my script to highlight a file (using a $_GET like "show_source.php?page=index.php") I will check to make sure that the file is in the array before I highlight the PHP code and show it to the user. Basically, I want to prevent something like "show_source.php?page=../db.php"

 

 

Here is what the array "$files" looks like:

 

Array
(
    [1] => Array
        (
            [level] => 1
            [name] => index.php
            [path] => /path/cms/
        )
    [2] => Array
        (
            [level] => 2
            [name] => functions.php
            [path] => /path/cms/functions/
        )
    [3] => Array
        (
            [level] => 3
            [name] => login.php
            [path] => /path/cms/admin/
        )
    [4] => Array
        (
            [level] => 3
            [name] => functions.php
            [path] => /path/cms/admin/
        )
}

 

I have tried something like this but I can't get it to work.

<?php

//NOTE: The list of ok files to highlight is called "$files".

//Lets make two files that a user could try to highlight.
$page = 'functions.php';
$page2 = 'sdkfjsdkfjdj.php';

if (!in_array($page2, $files)) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
} else {
        $content = highlight_file($page2, true);
}


print $content;
?>

I also tried something like this:

<?php

//The list of ok files to highlight is called "$files".
$page = 'functions.php';

//if (!in_array($page, $files)) {
if (array_search($page,$files) > -1) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
} else {
        $content = highlight_file($page, true);
}


print $content;
?>

 

How can I go through the multidimensional array of $files and make sure that the $page that the user wants highlighted is in fact a "safe" page in the array and not some kind of hacking attempt?

Part of the problem could be that this file

 

<?php

//NOTE: The list of ok files to highlight is called "$files".

//Lets make two files that a user could try to highlight.
$page = 'functions.php';
$page2 = 'sdkfjsdkfjdj.php';

if (!in_array($page2, $files)) {

    $content .= '<ul id="pages">';
        foreach ($files as $list) {
            //print array
            $content .= '<li class="pages"><a href="/show_source.php?page='. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '">'. str_replace('cms/', '', ($list['dir']. '/')). $list['name']. '</a> (Level '. $list['level']. ')</li>';
            //" => Path: " . $list['path'] ."<br>";
        }
        $content .= '</ul>';
    
    //Else the file is the the array so it is safe to highlight.
    } else {
        $content = highlight_file($page2, true);
    }

}

print $content;
?>

 

Has a syntax error with the very last bracket. That is 1  bracket too many.

Thanks, but this has nothing to do with the grammar of the code as this is just a quick snippet I wrote up to show the problem. So feel free to ignore any of my bad typing ;)

 

The problem is I don't know how to get http://us.php.net/in_array or http://us.php.net/manual/en/function.array-search.php or http://us.php.net/manual/en/function.array-key-exists.php to check a multidimensional array for my value.

try

<?php
function my_in_arr($p) {
$a = Array(
    1 => Array('level' => 1, 'name' => 'index.php', 'path' => '/path/cms/'),
    	    2 => Array('level' => 2, 'name' => 'functions.php', 'path' => '/path/cms/functions/'),
    3 => Array('level' => 3, 'name' => 'login.php', 'path' => '/path/cms/admin/'),
    	    4 => Array('level' => 3, 'name' => 'functions.php', 'path' => '/path/cms/admin/'));
$out = false;
foreach ($a as $v) if ($v['name'] == $p) $out = true;
return $out;
}

$page = 'functions.php';
if(my_in_arr($page)) echo 'in array'; else echo 'not in array';
?>

Thanks sasa!  ;D

 

Actually, I was looking for the value in the first array (see code above) and that is why I couldn't find it! I needed to go down one level and then look for it...

 

<?php
$found = FALSE;
foreach ($files as $value) {
    if(is_array($value)) {
        if (array_search($page, $value)) {
            $found = TRUE;
        }
    }
}

if($found) { 
    $content = "<br /><hr /><br />We found the value!<br />". $content; 
    $content .= highlight_file($page, true);
}
?>

This works fine now.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.