| View previous topic :: View next topic |
| Author |
Message |
Atle
Apprentice
Joined: 16 Sep 2004
Posts: 179
|
 Posted: Wed Jun 08, 2005 3:07 pm Post subject: Apache and PHP, problem with variables |
 |
|
Okay, I'm not sure what to search for to find a solution to this, so I'll ask here. Hop it's the right forum.
I've set up apache and php4, and it mostly works. But I have a problem getting variables parsed from forms (actually set in the URL) to be read by the PHP script. The URL might look something like this http://192.168.1.27/index.php?page=main
Most php in the page will work, but part of the code is:
| Code: |
if ( file_exists($page) ){
include($page);
}
else {
echo ("Page=<p>$page</p>");
}
}
|
This will not include the page, but will write <p>Page=</p> into the html. The problem is not that the file does not exist (or have the correct rights), but that the $page variable is not set.
The code works fine on a couple of other servers.
I have no idea where this bug comes from and where to start looking in order to solve this. Anyone know? |
|
| Back to top |
|
 |
Celtis
l33t
Joined: 05 Jul 2003
Posts: 737
|
| Posted: Wed Jun 08, 2005 4:12 pm Post subject: |
|
|
It's not a bug, it's a configuration option, register_globals which is off by default. Have a look at http://uk.php.net/register_globals for reasons why the PHP devs themselves suggest that it stays off
Try using $_GET["page"] instead of just $page (it's better form and makes it easier to follow!). |
|
| Back to top |
|
|
DavidMCS
n00b
Joined: 08 Feb 2004
Posts: 39
Location: Halifax, NS Canada
|
| Posted: Wed Jun 08, 2005 4:19 pm Post subject: |
|
|
More than likely register_globals = Off in your php.ini.
You should actually write your scripts so they do not require register_globals to be turned on. Form variables with global scope can easily lead to security vulnerability problems. Instead access your posted form variables using the new superglobal arrays of $_POST and $_GET depending on the method your form uses to submit the data.
Try the following...
| Code: |
if ( file_exists( $_GET['page'] ) ){
include($page);
}
else {
echo ("Page=<p>$_GET['page']</p>");
}
}
|
or this...
| Code: |
$page = $_GET['page'];
if ( file_exists($page) ){
include($page);
}
else {
echo ("Page=<p>$page</p>");
}
}
|
--
David- |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Wed Jun 08, 2005 8:36 pm Post subject: |
|
|
I'd be concerned about your code.. looks like you would be open to directory/file traversal. Not knowing your server configurations.. you may be able to read other files...
http://192.168.1.27/index.php?page=../../../etc/passwd for example.
or potentially cause a DoS via loop:
http://192.168.1.27/index.php?page=index.php
You may want to implement openbase_dir, safe_mode and client input filtering. Make sure you follow the above advise and use the $_GET array instead of turning on register_globals.. that would be a bad thing to do.
HTH
hanji |
|
| Back to top |
|
|
Atle
Apprentice
Joined: 16 Sep 2004
Posts: 179
|
| Posted: Wed Jun 08, 2005 11:00 pm Post subject: |
|
|
| Thank you guys, both for the help and the security tips. |
|
| Back to top |
|
|
|
Networking & Security
