[SOLVED] is this php code safe ?

[zc1]

Hi,

 

I am going to be using the below code so I can go to www. MYDOMAINHERE.com/index.php?id=XXXXXXXXX and hopeful it will show Code Here

 

But I would like to know is this code safe, what I mean by this, can it be exploited ?

 

<? if ($_GET['id'] == 'XXXXXXXXX') { ?>
Code Here
<? } ?>

 

Regards,

Garry

[per1os]

As long as you are referencing it by $_GET, your not using www.php.net/eval on the get variable or www.php.net/include or www.php.net/require (using the get's value) you should be fine.

 

It is when you try to use the $_GET variable to include a file is when you can get hijacked.

 

IE (this is bad!)

<?php
include($_GET['page']); // asking for trouble.
?>

[GingerRobot]

Also, if you are going to be using the ID for any database work etc, then you will need to validate it.

[zc1]

Hi,

 

Thanks for your replies

 

What my idea is, is to put 2 files into 1 by using the code in my post so, for example

 

?id=pay would load the code, I would put where code here is, which is the code for the signup page

?id=free would load the code, I would put where code here i, which is the code for the free signup page

 

So the end result, it would be loading the code from the same file

 

Regards,

Garry

[scarhand]

You do this using switches and cases. It is also a good idea to use functions.

 

Example:

 

function indexpage()
{
 echo "This is the index page if no other pages are specified";
}

function page1()
{
 echo "This is page 1";
}

function page2()
{
 echo "This is page 2";
}



switch($_GET['page']) 
{
 case 'page1':
    page1();
    break;

 case 'page2':
    page2();
    break;

 default:
    indexpage();  
}

 

So that www.yoururl.com/phpfile.php?page=page1 would bring you the content your page1 function specifies.

[sKunKbad]

As long as you are referencing it by $_GET, your not using www.php.net/eval on the get variable or www.php.net/include or www.php.net/require (using the get's value) you should be fine.

 

It is when you try to use the $_GET variable to include a file is when you can get hijacked.

 

IE (this is bad!)

<?php
include($_GET['page']); // asking for trouble.
?>

 

Hey Frost, is this bad:

<?php
if (isset($_GET['tip'])){
$tippage = $_GET['tip'];
$currenttipcat = $_GET['cat'];
include('C:\wamp\www\site\root\tipstext\\' . $currenttipcat .'\\'. $tippage . '.php');
}
?>

 

Can it be made safe if it is? I'm working on a script that I just started last night. If it can't be made safe then I will have to do something else.

[zc1]

Hi,

 

And this code is safe and can not be exploited ?

 

You do this using switches and cases. It is also a good idea to use functions.

 

Example:

 

function indexpage()
{
  echo "This is the index page if no other pages are specified";
}

function page1()
{
  echo "This is page 1";
}

function page2()
{
  echo "This is page 2";
}



switch($_GET['page']) 
{
  case 'page1':
     page1();
     break;
      
  case 'page2':
     page2();
     break;
      
  default:
     indexpage();  
}

 

So that www.yoururl.com/phpfile.php?page=page1 would bring you the content your page1 function specifies.

 

Regards,

Garry

[zc1]

Hi,

 

I have just tried this using with function xxxx() but it gave errors, so I got rid fo the function xxxx() code and put it straight into the switch which works

 

xxxx = function name

 

I presume this is ok to do it this way ?

 

 

 

You do this using switches and cases. It is also a good idea to use functions.

 

Example:

 

function indexpage()
{
  echo "This is the index page if no other pages are specified";
}

function page1()
{
  echo "This is page 1";
}

function page2()
{
  echo "This is page 2";
}



switch($_GET['page']) 
{
  case 'page1':
     page1();
     break;
      
  case 'page2':
     page2();
     break;
      
  default:
     indexpage();  
}

 

So that www.yoururl.com/phpfile.php?page=page1 would bring you the content your page1 function specifies.

 

Regards,

Garry

[MemphiS]

Personally if i was going to open pages like that i would code it like my example below.

 

<?php
$getPage = strip_tags(addslashes($_GET['id']));
if (isset($getPage)){

if (!ctype_alpha($getPage)){ // Checks for Alphanumerical
$getPage = "index"; // default to index when wrong
}

$allowed = array("pay","free","index"); // place your allowed pages in the array();
if (!in_array($getPage,$allowed,true)){ // Checks the page
$getPage = "index"; // default to index when wrong
}

}
?>

 

[MemphiS]

sKunKbad your code hasnt been validated or checked... It can be made safe by checking the content inputed by the user first..,. look over my above example..

[zc1]

Hi,

 

If I was to use the below where would I add my code for this to work

 

 

Personally if i was going to open pages like that i would code it like my example below.

 

<?php
$getPage = strip_tags(addslashes($_GET['id']));
if (isset($getPage)){

if (!ctype_alpha($getPage)){ // Checks for Alphanumerical
$getPage = "index"; // default to index when wrong
}

$allowed = array("pay","free","index"); // place your allowed pages in the array();
if (!in_array($getPage,$allowed,true)){ // Checks the page
$getPage = "index"; // default to index when wrong
}

}
?>

 

 

Regards,

Garry

[MemphiS]

All depends on how you have set your site up.. but at the top would be the best place... below session_start(); if you use sessions etc..

 

Place like so..

<?php
$getPage = strip_tags(addslashes($_GET['id']));
if (isset($getPage)){

if (!ctype_alpha($getPage)){ // Checks for Alphanumerical
$getPage = "index"; // default to index when wrong
}

$allowed = array("pay","free","index"); // place your allowed pages in the array();
if (!in_array($getPage,$allowed,true)){ // Checks the page
$getPage = "index"; // default to index when wrong
}

require_once("$getPage.php");
// continue your code here... Code in here will only go ahead in the $_GET['id] is set and if its invalid it will change it to the index page

}
?>

[zc1]

Hi,

 

Sorry for being slow but, what I am trying to find out is how do I mark the page pay, free or index as it must have to know where to go to get the code for that page.

 

I am at the moment using scarhand code, but without using function xxxx()

 

Regards,

Garry

 

[per1os]

Reply to SkunKbad

 

<?php

if (isset($_GET['tip'])){

  $tippage = $_GET['tip'];

  $currenttipcat = $_GET['cat'];

  include('C:\wamp\www\site\root\tipstext\\' . $currenttipcat .'\\'. $tippage . '.php');

}

?>

 

Yes that is bad because you are using the get data directly in your script, you never know what someone could append to tippage or currenttipcat.

 

<?php
if (isset($_GET['tip'])){
   $tippages = array("page1", "page2", "page-3");
   $cattippages = array("catpage1", "catpage2", "catpage-3");
   $tippage = $_GET['tip'];
   $currenttipcat = $_GET['cat'];

   if (!ereg("([A-Za-z0-9_-]*)", $tippage) || !ereg("([A-Za-z0-9_-]*)", $currenttipcat)) {
           $tippage = 'default';
            $currenttipcat = 'default';
   }elseif (!in_array($tippage, $tippages) || !in_array($currenttipcat, $cattippages)) {
        $tippage = 'default';
        $currenttipcat = 'default';
   
   }
   
   include('C:\wamp\www\site\root\tipstext\\' . $currenttipcat .'\\'. $tippage . '.php');
}
?>

 

That should secure you.

[zc1]

Hi,

 

Is it also safe to use the form post command to a file like filename.php?id=1 . So the html look like

<form name="frmSignup" id="frmSignup" method="post" action="filename.php?id=1" onsubmit="javascript: return validateme(this);">

Using the same PHP layout as what scarhand posted above, but without the functions bit and I changed the echo bit for code from a script I am using that submit data to the database and forward you to another page.

 

Regards,

Garry