simple include & security

Conquester777 *Pro* Member RIP- Proboards Legend CirclesAreFun Posts: 4,008 Conquester777 inherit RIP- Proboards Legend 39218 Conquester777 Conquester777 0 Oct 11, 2005 6:36:29 GMT -8 Conquester777 CirclesAreFun 4,008 *Pro* Member March 2005 cq777	simple include & security Jul 27, 2005 17:33:40 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Conquester777 on Jul 27, 2005 17:33:40 GMT -8 www.domainnamehere.com/index.php?page=abcdef include('$page'); dont have have any fool proof server side safe guards agaisnt the security risk??
	[size=1][font=Tahoma,Verdana,Arial] [/font][/size] Morgana says: very ugly stoopid purple funny monkey puppy quickly eats ten billion inanely flying goldfish and pukes up cinammon pie with red peanuts and yucky mustard with groping dishwasher breaking tentacles!! Lara says: uh why? Will says: cause the goldfish were inane obviously

J. Meeter Veteran EXOH i do my crosswords in pen Posts: 8,249 J. Meeter inherit EXOH 27575 xxGRENADEinMOUTH 0 Nov 12, 2007 22:40:30 GMT -8 J. Meeter i do my crosswords in pen 8,249 Veteran July 2004 modernxxromance	simple include & security Jul 27, 2005 18:03:05 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by J. Meeter on Jul 27, 2005 18:03:05 GMT -8 wtf are you talking about? are you talking about stuff like this: smartpunk.com/index.php?mainFrame=http://jordanmeeter.com ?
	Last Edit: Jul 27, 2005 18:04:21 GMT -8 by J. Meeter

squalleh
Guest

simple include & security Jul 28, 2005 5:00:13 GMT -8

Post by squalleh on Jul 28, 2005 5:00:13 GMT -8

cq777 said:

www.domainnamehere.com/index.php?page=abcdef

include('$page');

dont have have any fool proof server side safe guards agaisnt the security risk??

Turn of Register Globals, first of all. That'll eliminate a nice percentage of the security risk. With Register Globals enabled people could easily inject information that is unwanted into your forms.

Also, don't simply include whatever is in the HTTP POST. Check it for some validity. As it currently stands, somebody could include a malicious file, which could exploit and attack your host. So, you don't want that to be allowed.

Make an array containing every page you want recognized. Then check the HTTP POST against that array. If such a file is requested, and it happens to be in the array, allow it. At least, that's one such way of doing this. Another is to set up a Select Case statement, to include a certain file depending on the HTTP POST, and then a default file if nothing is matched. There are plenty of ways.

Conquester777
Pro Member

RIP- Proboards Legend

CirclesAreFun

Posts: 4,008

simple include & security Jul 28, 2005 23:14:48 GMT -8

Post by Conquester777 on Jul 28, 2005 23:14:48 GMT -8

i think ill choose the array method, it's very easy.

why would any body use that select case stuff? it seems like a waste of time to me, a bit clunky. kinda like making a new function when you're only using the function in one place.

and what does turning off Register Globals do exactly?

[size=1][font=Tahoma,Verdana,Arial]

[/font][/size]

Morgana says:
very ugly stoopid purple funny monkey puppy quickly eats ten billion inanely flying goldfish and pukes up cinammon pie with red peanuts and yucky mustard with groping dishwasher breaking tentacles!!
Lara says:
uh why?
Will says:
cause the goldfish were inane obviously

J. Meeter
Veteran

EXOH

i do my crosswords in pen

Posts: 8,249

simple include & security Jul 29, 2005 20:53:02 GMT -8

Post by J. Meeter on Jul 29, 2005 20:53:02 GMT -8

squalleh said:

cq777 said:

www.domainnamehere.com/index.php?page=abcdef

include('$page');

dont have have any fool proof server side safe guards agaisnt the security risk??

Turn of Register Globals, first of all. That'll eliminate a nice percentage of the security risk. With Register Globals enabled people could easily inject information that is unwanted into your forms.

Doesn't that depend on whether you're using GET or POST?

Conquester777 *Pro* Member RIP- Proboards Legend CirclesAreFun Posts: 4,008 Conquester777 inherit RIP- Proboards Legend 39218 Conquester777 Conquester777 0 Oct 11, 2005 6:36:29 GMT -8 Conquester777 CirclesAreFun 4,008 *Pro* Member March 2005 cq777	simple include & security Jul 30, 2005 0:14:36 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by Conquester777 on Jul 30, 2005 0:14:36 GMT -8 why does using GET, reduce security?
	[size=1][font=Tahoma,Verdana,Arial] [/font][/size] Morgana says: very ugly stoopid purple funny monkey puppy quickly eats ten billion inanely flying goldfish and pukes up cinammon pie with red peanuts and yucky mustard with groping dishwasher breaking tentacles!! Lara says: uh why? Will says: cause the goldfish were inane obviously

Post by Conquester777 on Jul 27, 2005 17:33:40 GMT -8

Post by J. Meeter on Jul 27, 2005 18:03:05 GMT -8

Post by squalleh on Jul 28, 2005 5:00:13 GMT -8

Post by Conquester777 on Jul 28, 2005 23:14:48 GMT -8

Post by J. Meeter on Jul 29, 2005 20:53:02 GMT -8

Post by Conquester777 on Jul 30, 2005 0:14:36 GMT -8