PHP deny include if http is in the variable

Discussion in 'OT Technology' started by Gordonator, Aug 14, 2004.

  1. Gordonator

    Gordonator Guest

    I have <?php include ($_GET['load'].".html") ?> and it works, but if I put nav.php?load=http://www.yahoo.com/index it works and loads yahoo into the page, this is bad if a hacker pointed it to a malicous script like http://hacksite.net/delete and the page delete.html would contain an asp script that attempted to delete all the files. I figured if the script detected "http" anywhere in the variable, and just ended if it was, it would prevent such evil doing.
     
  2. TheDarkHorizon

    TheDarkHorizon \xC0\xFF\xEE

    Joined:
    Sep 26, 2002
    Messages:
    2,396
    Likes Received:
    0
    Location:
    San Francisco, CA
    I would check each case because worse things can come out of that. But if you insist, do this:

    if(eregi("http://", $_GET['load'])) {
    echo "Malicious include attempt. Go away.";
    }
    else {
    include ($_GET['load'].".html");
    }
     
  3. Gordonator

    Gordonator Guest

    what worse things can come?
     
  4. TheDarkHorizon

    TheDarkHorizon \xC0\xFF\xEE

    Joined:
    Sep 26, 2002
    Messages:
    2,396
    Likes Received:
    0
    Location:
    San Francisco, CA
    The fact that they can traverse anywhere on your server is enough for concern. Though you do tag on the ".html" at the end, so it is a bit safer. I just like to know that they can't try anything.
     
  5. Gordonator

    Gordonator Guest

    if they know the path of stuff on your server, can't they just look at it anyway?

    by the way, how do I set it to detect NULL value and make a default page?
     
  6. TheDarkHorizon

    TheDarkHorizon \xC0\xFF\xEE

    Joined:
    Sep 26, 2002
    Messages:
    2,396
    Likes Received:
    0
    Location:
    San Francisco, CA
    if(eregi("http://", $_GET['load'])) {
    echo "Malicious include attempt. Go away.";
    }

    else if(!isset($_GET['load'])) {
    echo "Default page";

    else {
    include ($_GET['load'].".html");
    }
     

Share This Page