PHP error or just my error

<?php if (isset($_GET['page']) && file_exists("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php")) { include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php"); } else { include("{$_SERVER['DOCUMENT_ROOT']}/includes/sorry.php"); } ?>

Either I’m forgetting a line or just completely forgetting something. index.php is my main page and I was wanting some welcoming text. Well of course when they click a link it will point to the file and pull it up, but say the file don’t exists than it will pop up the sorry.php page. Hope I made it clear enough


EDIT: Easier way…I had it as home.php, but I didn’t want someone clicking a link when it was bad and taking them back home. I rather have a page explaining either the page didn’t exist or something else was wrong.

Remove the {braces} from the path arguments.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost

what will that do?


if (isset($_GET[‘page’]) && file_exists("{$_SERVER[‘DOCUMENT_ROOT’]}/includes/{$_GET[‘page’]}.php")) {
} else {
I don’t think using code like that is a good idea. Tell me what you think will happen if one visits the URL index.php?page=…/index ? Or index.php?page=…/secrets/passwords.txt ?

When using input that is linked to using a system resource, it is best to compare the input to a known list of acceptable values otherwise if you aren’t careful you will introduce a vulnerability that can be exploited.

You probably need me to point this out. One thing you can do is retrieve a list of all the PHP scripts in the includes directory first, and check to see if the input is in the list. Or you can just hardcode a list into the script (which would be better). Or you can learn more about file pathname operations and figure out how to make sure the file you are opening is in a particular directory.

:cool: -//-

I’m not quite following you. Someone posted that a while back to use to keep people from trying to get somewhere else when they aren’t suppose to.

So what do you suggest than?


And it is flawed.

For example visit this URL:…/images/banner.jpg

Now you didn’t put banner.jpg in the includes directory did you? Click on that link then see what the browser does to the URL.

But this “trick” isn’t really a trick, every developer should know not only why it works but also how it affects the security of their applications and computer systems. This doesn’t just happen with URLs, it happens with paths in using files and directories.

:cool: -//-

Nice. So what are you suggesting than? Do I need to change the php script? If I do than to what since I thought someone was helping me out. It should be posted somewhere around here on the forums.

What can I do to prevent that an improve security?

Thanks very much though


I will withhold most of my commentary on the risks of executing any file that is passed as a url argument, but I’ll say a couple things. I agree that it is indeed risky, and I would suggest implementing a switch statement so that only certain files can be executed based on predetermined values that you decide are permissible.

If you have so many files that this is not feasible, perhaps you should step back and reconsider what you’re trying to accomplish. It would seem to me that you’d be duplicating a lot of repetitive code like header and footer files.

With that out of the way I’ll go on to say that what you’re describing seems to me like a simple 404 page. You want to show a certain page when the requested document is unavailable. This is easily accomplished by putting a couple things in a .htaccess file. You could try something like this:

<Files .htaccess>
order allow,deny
deny from all

ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 403 /error.php
ErrorDocument 404 /sorry.php
ErrorDocument 500 /error.php