Bethrezen

ok obviously I have failed to adequately explain what its is that I am trying to achieve so ill try again presently if you go to one of my pages and miss type the address example: http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Index.php/ you get a load of horrid error code example: Warning: main(): open_basedir restriction in effect. File(\\192.168.0.16\webfiles\files\2005-3\275289\demo\Web-Site-Demo/Switch/style-switcher.php) is not within the allowed path(s): (.) in \\192.168.0.16\webfiles\files\2005-3\275289\demo\Web-Site-Demo\Index.php on line 15 which even the most inexperienced coder will be able to tell you is a bad idea for reasons of security, professionalism and accessibility. Obviously this is an undesirable situation that needs to be resolved so what can we do ? well the first and most obvious solution is to change php error reporting so that it outputs errors to an error log instead of the browser question is how ?? while this does go part way to addressing the situation trouble is that should users mistype an address they are left looking at a blank screen now the obvious solution in this event would be to display an error message informing the user that they had mistyped the address and then redirect them to the site map however this is where i hit my second problem i don't have server access also the server is also IIS not apache so I cant use a .htaccess file so my next question is how do i have an error message pop up and then subsequently them redirected to the site map so that they can find the page they are looking for ? with out server access ??

I understand what you are saying that this is best handled by the server but that's not an option I don't have server access so i'm going to have to do this my self through php now while this is a far from idea solution i don't see that there is much else i can do there must be some way to pull this off and either have a custom error page pop-up and then redirect or just have the script output a message and then redirect it should be possible to insert some code in to the main page index.php that will intercept any requests to it valid or not and then take appropriate action

can't leave it up to Apache because the servers where ripway is housed are IIS aka (Microsoft) so how do i write a simple little script that will detect when people have incorrectly typed a url for one of my pages and then give them a custom error message before redirecting them to the site map page I though the best way to go about this would be through an array but I'm pritty new to php so maybe there is a simpler way that might be more appropriate

hi I see ok so for the second argument how do I have it read the url that has been typed in ?? because the first thing that would need to happen is to read the url that was typed in to determine if its a bogus url and if it is redirect is $_SERVER['REQUEST_URI'] the correct command for that ?? because it doesn't seem to work correctly i input the url http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/test.php which should resolve to true because both test.php & Content/Section-1-Introduction.php are in the array but yet i get a false answer and get the bad input error which is not corect

hi all I'm trying to understand some of the mechanics of php but I'm having problems I set up a simple test page here http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/test.php now when you go to that page the snippet of php on that page should display the contents of the included file but if i go here http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/test.php/ it should display the error message "Error Bad Input" but i must be doing something wrong because i cant seem to get it to work here is the code i have <?php $file = array('test.php', 'Content/Section-1-Introduction.php'); if(in_array ($file)) { include('Content/Section-1-Introduction.php'); } else { header("Refresh: 3; url=index.php?page=Site-Map"); die('Error Bad Input'); } ?> now the idea behind this is should someone miss type the url for one of the pages instead of getting something like Warning: Wrong parameter count for in_array() in \\192.168.1.16\webfiles\files\2005-3\275289\demo\Web-Site-Demo\test.php on line 18 they will instead get a custom error and then redirected to the site map page so what am i doing wrong ?

I see well then I could have a problem as I do make use if the $_GET command in my switch scripts Here is an example this one controls the next previous links for the footer but I have at least another 3 scripts similar to this that handle the switching of other elements within the site <?php function setprevnext ($previous, $next) { $prevnext = ""; if ($next == "Preparation") {$prevnext = $prevnext . "<li><a href='Index.php?page=$next'>Next</a></li> ";} else if ($next == "") {$prevnext = $prevnext;} else {$prevnext = $prevnext . "<li class='leftbar'><a href='Index.php?page=$next'>Next</a></li> ";} if ($previous != "") {$prevnext = $prevnext . "<li><a href='Index.php?page=$previous'>Previous</a></li> ";} echo $prevnext; } switch ($_GET["page"]) { default: setprevnext("","Preparation"); break; /* Section 1 */ case "Section-1-Introduction": setprevnext("","Preparation"); break; case "Preparation": setprevnext("Section-1-Introduction","Basic-Cleaning"); break; case "Basic-Cleaning": setprevnext("Preparation","Advanced-Cleaning"); break; case "Advanced-Cleaning": setprevnext("Basic-Cleaning","Last-Resort"); break; case "Last-Resort": setprevnext("Advanced-Cleaning","Troubleshooting"); break; case "Troubleshooting": setprevnext("Last-Resort","Support"); break; case "Support": setprevnext("Troubleshooting","Section-2-Introduction"); break; } ?> so ya still recon im ok ?? My main concern here is that some unsavory type could end up deleting and/or defacing my hard work i have a back up on my hd but i'd rarther prevent the posibility to begin with

hi I was thinking along the lines of XSS (cross site scripting attacks) coz there is no input checking if some one where to type some evil input into the adress bar say something like this http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/page-switcher.php/%3Cmarquee%3E%3Ch1%3ESOME_EVIL_INPUT_OR_SOME_EVIL_SCRIPT%3Chr%3E they could potently cause havoc possibly causing problems for visitors or for me i know the above example was overly simple that was deliberate on my part as i really don't understand php very well so i need to keep thing as simple as possible or ill just get lost here is my site http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Index.php

hi all due to my inexperience with php my last attempt to get help with securing my site was somewhat less than fruitful as I just didn't understand I have read up on this in an effort to try and understand but I'm getting no where its all so complicated and confusing and i was wondering is any one could explain this is a way I might actually understand anyway starting really simple i have my main index page index.php and inside this are 2 includes content.php and navigation.php and it looks like this <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> </head> <body> <div id="sidebar"> <?php include("navigation.php");?> </div> <div class="contents"> <?php include("content.php"); ?> </div> </body> </html> anyway at present this is susceptible to attack as there is no input checking so my first step is to create file that is going to filter out user input so that any attempt to input anything other than a valid url in to the address bar will result in them getting a bad input error so my first question is what is the easiest noob friendly way to go about doing this

hi all I appreciate the efforts to try and help me but I'm really not getting this and im totally absolutely confused none of this is making any sense to me what so ever so I have 3 questions 1.) how do detect bad input 2.) how do i make the filter script load upon detection of bad input 3.) upon loading of the filter script how do get it to remove said bad input so for instance if someone was to type the following into the address bar http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/index.php/%3Cmarquee%3E%3Ch1%3Evulnerable%3Chr%3E or http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/style-switcher.php/a etc. how would I 1.) detect that this is bad input 2.) load the filter file to deal with it 3.) have the filter script to remove the bad input /%3Cmarquee%3E%3Ch1%3Evulnerable%3Chr%3E or /a etc. so that the person ends up looking at http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/index.php or http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/style-switcher.php etc.

hi ideally id like to protect all the files that make up my site not just the $-GET[] I see question is it not possible to just add error_reporting(0); and leave it at that and then if I need to see error message change error reporting from (0) to (6135) Is any particular reason and/or advantage to be gained by getting more complicated and creating a debug script as you suggest because it sounds like unnecessary work unless its actually possible to make the server error reporting more accurate so that the error message actually reflects the real mistake that caused the error one other thing is it possible to have the error reporting viable only to me I'm just thinking that this would be more useful than just turning error reporting off

ok apparently that code <?php $valid_page_array = array('Contact', 'Site-Map', 'Support', 'Make sure', 'you put', 'all your', 'valid pages', 'in this', 'really really', 'long array'); if(!in_array($_GET['page'], $valid_page_array) { die('That is not a valid url...'); } ?> is wrong Parse error: parse error, unexpected '{' in \\192.168.1.16\webfiles\files\2005-3\275289\demo\Web-Site-Demo\Switch\page-switcher.php on line 6 one other problem this doesn't protect the rest of the files that make up the site

how do i impliment this as a sepret file so that i just have to link to it rartyer than having to repeatadley include the same chunk of code in every file thats vunrable

question would i need to add that to every file or can i add it just once to the index page ?? ok not working http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Switch/page-switcher.php/%3Cmarquee%3E%3Ch1%3Evulnerable%3Chr%3E

now what about stopping info harvesting by deliberately putting bad url in to the address box i was thinking a simple check something like if (url valid) load page else die ("bad input")

perhaps it would help if i posted the source for one one the files that have been identifiyed as vunrable to cross site scripting here is the page switcher script <?php switch ($_GET["page"]) { default: header("Location: Index.php?page=Section-1-Introduction"); break; case "Contact": include("Content/Under-Construction.php"); break; case "Site-Map": include("Navigation/Site-Map.php"); break; /* Section 1 */ case "Section-1-Introduction": include("Content/Section-1-Introduction.php"); break; case "Preparation": include("Content/Preparation.php"); break; case "Basic-Cleaning": include("Content/Basic-Cleaning.php"); break; case "Advanced-Cleaning": include("Content/Advanced-Cleaning.php"); break; case "Last-Resort": include("Content/Last-Resort.php"); break; case "Troubleshooting": include("Content/Troubleshooting.php"); break; case "Support": include("Content/Support.php"); break; /* Section 2 */ case "Section-2-Introduction": include("Content/Section-2-Introduction.php"); break; case "Internet-Explorer": include("Content/Internet-Explorer.php"); break; case "Outlook-Express": include("Content/Outlook-Express.php"); break; case "Windows-Media-Player": include("Content/Windows-Media-Player.php"); break; case "Disabling-Unnecessary-Processes": include("Content/Disabling-Unnecessary-Processes.php"); break; case "Fixing-UnPatched-Security-Holes": include("Content/Fixing-UnPatched-Security-Holes.php"); break; case "Additional-Layers-Of-Protection": include("Content/Additional-Layers-Of-Protection.php"); break; case "Tweaking-And-Windows-Customisation": include("Content/Tweaking-And-Windows-Customisation.php"); break; case "Testing-And-Validation": include("Content/Testing-And-Validation.php"); break; /* Section 3 */ case "Host-File-And-Host-File-Management": include("Content/Host-File-And-Host-File-Management.php"); break; case "Pacfile-And-Pacfile-Management": include("Content/Pacfile-And-Pacfile-Management.php"); break; case "Proxies-And-Web-Filters": include("Content/Under-Construction.php"); break; /* Section 4 */ case "General-Computer-Maintenance": include("Content/General-Computer-Maintenance.php"); break; case "Registry-Maintenance-Backup-And-Restoration": include("Content/Registry-Maintenance-Backup-And-Restoration.php"); break; case "System-Backup": include("Content/System-Backup.php"); break; } ?> now what I need to do is to add a check to make sure that the url is valid if it is then run the script if not then the input needs to be killed ehh ??