How do I clean this so users can t pull pages outside of the local domain?
<?php
if(!empty($_GET[ page ]))
{
include($_GET[ page ]);
}
else
{
include( home.php );
}
?>
The safest way is to whitelist your pages:
$page = home.php ;
$allowedPages = array( one.php , two.php , ...);
if (!empty($_GET[ page ]) && in_array($_GET[ page ], $allowedPages))
$page = $_GET[ page ];
include $page;
// get the absolute file name of the page we want to see
$page = realpath($_GET[ page ]);
// get the directory in which pages are
$mydir = dirname(__FILE__);
// see if the included page is inside this allowed dir
if ($page === false || substr($page, 0, strlen($mydir) != $mydir) {
die( go away hacker );
} else {
include $page;
}
This isn t tested. I just wrote it up real quick, but it should work (I hope) and it ll definitely provide you a base for where to get started.
define( DEFAULT_PAGE , home.php );
define( ALLOWED_PAGES_EXPRESSION , ^[/]+.php$|^[/]+.html$ );
function ValidateRequestedPage($p)
{
$errors_found = False;
// Make sure this isn t someone trying to reference directories absolutely.
if (preg_match( ^/.+$ , $p))
{
$errors_found = True;
}
// Disable access to hidden files (IE, .htaccess), and parent directory.
if (preg_match( ^..+$ , $p))
{
$errors_found = True;
}
// This shouldn t be needed for secure servers, but test for remote includes just in case...
if (preg_match( .+://.+ , $p))
{
$errors_found = True;
}
if (!preg_match(ALLOWED_PAGES_EXPRESSION, $p))
{
$errors_found = True;
}
return !$errors_found;
}
if (!isset($_GET[ page ])) { $page = DEFAULT_PAGE; }
else { $page = $_GET[ page ]; }
if ( !ValidateRequestedPage($page) )
{
/* This is called when an error has occured on the page check. You probably
want to show a 404 here instead of returning False. */
return False;
}
// This suggests that a valid page is being used.
require_once($page);
Just use a switch statement.
Check if the $_GET var is set and then run it through the cases and have the default go to home.php
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...