4 Replies - 1154 Views - Last Post: 25 July 2011 - 12:56 PM Rate Topic: -----

#1 56KBs  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 24
  • Joined: 17-January 11

$_GET Page insecurities and a better way?

Posted 25 July 2011 - 12:01 PM

Hey all,

I'm currently using $_GET's for making my index file include selected pages, after doing this I have now started to wonder whether this is the safest method, as people could trying to directly load the included files (Although they get a function error).

Would it be better for me to just have separate pages for the settings in the admin panel (Such as a user control section, etc) or to php include these under the admin index page and ensure the functions file is included in each file to be included so it auto pushes them to the login page if not logged in?

I am preferred to use the GET method so there is possibility of theming my creation.

Is This A Good Question/Topic? 0
  • +

Replies To: $_GET Page insecurities and a better way?

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: $_GET Page insecurities and a better way?

Posted 25 July 2011 - 12:13 PM

Hey.

How are you doing this exactly? I'm picturing something like:
<?php
($page = @$_GET['page']) or $page = 'default';

switch($page)
{
    case default:
        include 'includes/default.php';
        break;
    case 'about':
        include 'includes/about.php';
        break;
    case 'login':
        include 'includes/login.php';
        break;
    case 'etc...':
        include 'includes/etc.php';
        break;
}


There, the "includes" directory could be hidden from public view via your HTTP server's config (on Apache servers, .htaccess files are typically used for this purpose), or you could simply place them outside the web root. Either option would deny visitors access to the files directly, while still making them available to be included into your PHP pages.

P.S.
I know it may seem simpler to do this:
<?php
include "includes/{$_GET['page']}.php";
?>


But this is a MAJOR risk. Even with proper sanitation and validation of the GET variable, if you place it into the include statement, there is always the off chance that it will be manipulated by malicious visitors into doing something unexpected and potentially damaging.

Always hard code includes. It's just safer that way.

This post has been edited by Atli: 25 July 2011 - 12:16 PM

Was This Post Helpful? 2
  • +
  • -

#3 56KBs  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 24
  • Joined: 17-January 11

Re: $_GET Page insecurities and a better way?

Posted 25 July 2011 - 12:30 PM

I'm doing it like this -

<?php
	if (isset($_GET['page'])) {
		$page = $_GET['page'];
	} else {
		$page = 'index';
	}
	$file_path = 'includes/' .$page . '.php';
	if (!isset($_SESSION['username']) && $page != 'login') header("Location: " . mod_rewrite_check('login'));
	elseif (file_exists($file_path)) require($file_path);
	else require('includes/404.php');
?>


(This line with the session could probably be amended by using a login check function I have but oh well)

I'm just asking this because I plan to soon switch my main index page, currently acting as the admin panel (Which the above is from) with a front end to my system and a separate directory to the admin section. I just fear someone could guess the directory to my admin section, then get into the included files.

I could continue using the method above but include the functions file on each of the included files, running a login check on each necessary to ensure if direct connection is made to the included file a header will push them away.

I'd like my system to be as secure as possible as I wish to release it via open source in the future (Once it has been used for my A2 computing exam).
Was This Post Helpful? 0
  • +
  • -

#4 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6063
  • View blog
  • Posts: 23,516
  • Joined: 23-August 08

Re: $_GET Page insecurities and a better way?

Posted 25 July 2011 - 12:52 PM

You need to create a whitelist of pages that the user is able to view. See this post.
Was This Post Helpful? 2
  • +
  • -

#5 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Re: $_GET Page insecurities and a better way?

Posted 25 July 2011 - 12:56 PM

That's extremely unsafe. You are essentially allowing all your visitors to request whatever PHP file they want from your system.

Just consider what happens if you use this URL:
index.php?page=../index

Your $file_path would become 'includes/../index.php', which will include the main index file again, causing an infinite include loop until PHP aborted with an error.

Like I said in my previous post, you should never allow user input into a include statement. It's way to risky. You will at least have to validate and sanitize the input very very thoroughly before doing so. Hard-coding the includes and executing them with IF or SWITCH statements (or arrays, classes, functions, etc...), like I demonstrated, is much much safer.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1