PHP include


#1

I have simple PHP code to include content from various files into a stable frame. This works fine on my college’s PHP Version 5.1.2 and Apache 2.0 Handler Server API.

The code does not work on DreamHost PHP Version 5.2.17 CGI/Fast CGI Server API.

Here is a copy of the code.

<?php ///////////////////////////////////////////////////////// // The following should be used for a PHP site template // in order to ensure the same "appearance" of all // content on a website. // // href values should start with "?pg=" // // // //////////////////////////////////////////////////////// // Verify that the value of $pg is acceptable. Feel free // to modify these conditions based on your individual needs. if ((empty($pg)) || (ereg('http://', $pg)) || (!(file_exists("./".$pg))) || (pg=='index.php')) { $pg = "rochester.html" ; } //print "$pg

"; ?>

This space has HTML code for the site frame and then in the content division of the document comes the PHP include statement.

<? include($pg); ?>

Content is added by using a link such as the following

<a href="http://jamesbearden.net/?pg=rochester.html">Rochester Neighborhoods</a>

causing the contents of “rochester.html” to be included in the content division of the page viewed.

As I said this work find on my college server but not DreamHost.
Can someone point me in the right direction to change code or the settings to make this work at DreamHost?


#2

When you say it doesn’t work what do you mean? does it error? if so what error message?

What is the expected output and what output are you getting?


#3
  1. Your code depends on the deprecated register_globals feature, which is disabled by default on all current versions of PHP, including our install. You can work around this by loading $pg explicitly:
    [php]$pg = $_GET[“pg”];[/php]

  2. Your code contains an arbitrary inclusion vulnerability. Never, ever use the include (or require) functions on a variable which you are not absolutely sure is safe. The tests you’re performing are not adequate to check for that — at a minimum, you should be stripping out slashes.


#4

Sorry, I forgot to explain.
I do not get an error message, such as file not found. Essentially nothing happens. The only content that is ever visible is the original content in the $pg= filename


#5

One of the cases leading to that assignment is:
[php]empty($pg)[/php]
Which is always true with register_globals disabled, as nothing has ever assigned a value to $pg.