http://www.percentageproducts.com/home.php?id=main main.html does exist, so why can't it read it? the code is <? php include '$id.html' ?> please help
Huh. I'm surprised that that worked, actually... in the code that you pasted there, you use single quotes which should not have the variable being interpreted.
have you tried <? php include "$id" . ".html" ?> beware of "." [dots] one is for concatination and one for file ext.
I hope you're filtering that $id variable? Oops, I just tried it, you're not. Better fix that (Filter out ".." etc)
By changing your URL to be id=.. -- it is obvious you're not doing any sanity checks on the data. That is an invitation to be hacked. You must remove tags (strip_tags) and things like ../ ; probably better off to remove all non word characters or just check the $id against a list of good ones before proceding.
Another issue: http://www.percentageproducts.com/main.inc Never include something without a .php extension. If that file has code in it and does not have a php extension, it will get printed out to the browser.
i thought php includes/requires all files first and then starts to execute the script?! this would mean you can only include some hardcoded files like <?include header.php?> but no files with any variables in the name (just because they are still unknown when you try to include this files). i always did something like $var=read_textfile($id) in this case, and then print it out.... can someone tell me if this is right or not? i only know it for sure from asp...
$var=read_textfile($id) or $var=file_get_contents($id) are only a problem if you let the user set the $id. So yea, if you are doing home.php?id=filename Then that presents a security problem. If it is your own internal $id that you pulled from a database then that isn't an issue. You can let the user set id but you MUST check it for sane entries-- meaning eliminate any periods '.' eliminate any slashes, eliminate any quotes.. basically eliminate any non word characters from the entry. $id = preg_replace("|\W|","",$id); or you can create an array of valid inputs $valids = array( 'home' , 'contact' , 'register' ); And then check to see if $id is in the array if (!in_array($id,$valids)) { echo "Bad input";exit; }
Anyone can send their browser directly to yourserver.com/main.inc and be able to read it as Apache does not parse .inc files through PHP. Therefore, if you store passwords in the inc file, anyone can read them without a problem. Instead, call it main.php: that way, if a user calls it directly in a browser, it should get parsed correctly by Apache and essentially have no useful output.
Wherever you need to validate the data. So before you would call something that did an include with $id, you would run $id = preg_replace("/...... or $id = strip_tags($id); That would clean up the $id variable.
Ok man you've been a great help a thousand thank yous. Check out my site, how safe would you say it is now?