[PHP] the files I'm working with

[Rick Beckman]

song.php is the file that I'm using as my template file, and it calls
information from the includes/ directory, which the file "1" would be in. If
someone would please look at song.php (I stripped it down to the basics
pretty much) and let me know the best and most secure way to do what I want
it to do. When finished, the includes directory will have dozens of files
(numbered 1 and up), as you can see from the dropdown list in song.php .
Thanks for the help.

-- 
Kyrie Eleison,
Rick
www.spiritsword.com/phpBB2/


Rick Beckman wrote:
> Okay, I was mistaken... There is a gaping security hole in my simple
> li'l script... How do I modify it to only accept files from a certain
> path? I want the url format to be script.php?call=1 where "1" is the
> called file in the /includes/ directory. Just when I get optimistic I
> leave the entire system exposed. Yeah, that fits with my luck. :-)
>
>
> Rick Beckman wrote:
>> Sarcasm aside, I do have the script set up (although I didn't note so
>> in the last response) to not accept files with '.' or '..' in the
>> path. The URL can accept directories within the one the PHP script is
>> in, but not in a different path or any directory above its own (i.e.,
>> the server files).
>>
>>
>> John W. Holmes wrote:
>>>> I have a page set up that loads the contents of a text file into an
>>>> HTML template using PHP. (i.e. something.com/page.php?include=1
>>>> where "1" is a simple no-extension text file in the same directoy
>>>> as page.php). Is there a
>>>> way to modify the PHP code in the template page to search for the
>>>> included page in another directory? Right now, the only way to do
>>>> it is to have the URL as "page.php?include=files/1".
>>>>
>>>> Currently, here is the code I use to takes the $include URL
>>>> variable and makes the file accessible in the template:
>>>>
>>>> $info = file($include);
>>>
>>> Can I get the URL to your server, please, so I can pull up
>>> page.php?include=/etc/passwd ?? Thanks, I would really appreciate
>>> that.
>>>
>>> But seriously, I really hope you are validating what $include is.
>>>
>>> If you want the file to be included from a different directory, then
>>> you have to pass some flag/variable to PHP to tell it where to look.
>>> If you always want it to be in the same dir, then use
>>>
>>> $info = file('files/' . $include);
>>>
>>> ---John Holmes...


begin 666 song.php
M/"%$3T-465!%($A434P@4%5"3$E#("(M+R]7,T,O+T141"!(5$U,(#0N,#$@
M5')A;G-I=&EO;F%L+R]%3B(@(FAT=' Z+R]W=W<N=S,N;W)G+U12+VAT;6PT
M+VQO;W-E+F1T9"(^#0H\:'1M;"!L86YG/2)E;B(^#0H\/PT*"21I;F9O(#T@
M9FEL92@D<V]N9RD[#0H))&YE=S @/2!S=')?<F5P;&%C92@B7&XB+"(B+"1I
M;F9O6S!=*3L-"@DD;F5W,2 ]('-T<E]R97!L86-E*")<;B(L(B(L)&EN9F];
M,5TI.PT*"21N97<R(#T@<W1R7W)E<&QA8V4H(EQN(BPB(BPD:6YF;ULR72D[
M#0H))&YE=S,@/2!S=')?<F5P;&%C92@B7&XB+"(B+"1I;F9O6S-=*3L-"@DD
M;F5W-" ]('-T<E]R97!L86-E*")<;B(L(B(L)&EN9F];-%TI.PT*"21N97<U
M(#T@<W1R7W)E<&QA8V4H(EQN(BPB(BPD:6YF;ULU72D[#0H))&YE=S8@/2!S
M=')?<F5P;&[EMAIL PROTECTED](L(CQB<CXB+"1I;F9O6S9=*3L-"C\^#0H\:&5A9#X-
M"CQT:71L93XB/#\@96-H;R D;F5W,#L@/SXB($QY<FEC<SPO=&ET;&4^#0H\
M;65T82!N86UE/2)K97EW;W)D<R(@8V]N=&5N=#TB)SP_(&5C:&\@)&YE=S [
M(#\^)RP@/#\@96-H;R D;F5W,3L@/SXL("<\/R!E8VAO("1N97<R.R _/B<L
M(&QY<FEC<R(^#0H\;65T82!N86UE/2)D97-C<FEP=&EO;B(@8V]N=&5N=#TB
M3'ER:6-S(&%N9"!S;VYG(&EN9F]R;6%T:6]N(&9O<B G/#\@96-H;R D;F5W
M,#L@/SXG(&%S('!E<F9O<FUE9"!B>2 \/R!E8VAO("1N97<Q.R _/B!O;B!T
M:&4@86QB=6T@)SP_(&5C:&\@)&YE=S([(#\^+B<B/@T*/"]H96%D/@T*#0H\
M8F]D>3X-"@D\:#$@8VQA<W,](FAE860Q(CX\/R!E8VAO("1N97<Q.R _/CPO
M:#$^#0H)/&@R(&-L87-S/2)H96%D,B(^(CP_(&5C:&\@)&YE=S [(#\^(CPO
M:#(^#0H-"CQF;W)M(&YA;64](G-O;F=.878B(&UE=&AO9#TB9V5T(B!A8W1I
M;VX](G-O;F<N<&AP(CX-"@D\<"!C;&%S<STB8V5N=&5R(CY3;VYG($YA=FEG
M871I;VXZ( T*"3QS96QE8W0@;F%M93TB<V]N9R(@=&%B:6YD97@](C$B('1I
M=&QE/2)3;VYG($EN9&5X(B!S:7IE/2(Q(CX-"@D)/&]P=&EO;CX\+V]P=&EO
M;CX-"@D)/&]P=&=R;W5P(&QA8F5L/2(J2G5S="!/=F5R(&EN($AE879E;BH@
M*$1O>6QE($QA=W-O;B F86UP.R!1=6EC:W-I;'9E<BDB/@T*"0D\;W!T:6]N
M('9A;'5E/2(Q(B!L86)E;#TB5')A8VL@,2(^22=L;"!+965P(&]N(%-A:6QI
M;F<\+V]P=&EO;CX-"@D)/&]P=&EO;B!V86QU93TB,B(@;&%B96P](E1R86-K
M(#(B/E1H92!/;FQY(%1H:6YG(%1H870@36%T=&5R<SPO;W!T:6]N/@T*"0D\
M;W!T:6]N('9A;'5E/2(S(B!L86)E;#TB5')A8VL@,R(^5&AE($UA;B!5<'-T
M86ER<SPO;W!T:6]N/@T*"0D\;W!T:6]N('9A;'5E/2(T(B!L86)E;#TB5')A
M8VL@-"(^1V]D($ES(%=A=&-H:6YG($]V97(@364\+V]P=&EO;CX-"@D)/&]P
M=&EO;B!V86QU93TB-2(@;&%B96P](E1R86-K(#4B/DQI<W1E;B!T;R!T:&4@
M0F5L;',\+V]P=&EO;CX-"@D)/&]P=&EO;B!V86QU93TB-B(@;&%B96P](E1R
M86-K(#8B/E1H92!2:6=H="!(86YD(&]F($9E;&QO=W-H:7 \+V]P=&EO;CX-
M"@D)/&]P=&EO;B!V86QU93TB-R(@;&%B96P](E1R86-K(#<B/E-A9F4@5VET
M:"!9;W4@870@2&]M93PO;W!T:6]N/@T*"0D\;W!T:6]N('9A;'5E/2(X(B!L
M86)E;#TB5')A8VL@."(^5V4@3F5E9"!T:&4@3&EG:'0\+V]P=&EO;CX-"@D)
M/&]P=&EO;B!V86QU93TB.2(@;&%B96P](E1R86-K(#DB/D=O;FYA(%)O=R!-
M>2!";V%T/"]O<'1I;VX^#0H)"3QO<'1I;VX@=F%L=64](C$P(B!L86)E;#TB
M5')A8VL@,3 B/DES(%1H870@=&AE($)E;&QS(&]F($AE879E;C\\+V]P=&EO
M;CX-"@D)/&]P=&EO;B!V86QU93TB,3$B(&QA8F5L/2)4<F%C:R Q,2(^2&5A
M=F5N)W,@3F]T('-O($9A<B!!=V%Y/"]O<'1I;VX^#0H)"3QO<'1I;VX@=F%L
M=64](C$R(B!L86)E;#TB5')A8VL@,3(B/DD@06T@1VQA9#PO;W!T:6]N/@T*
M"0D\;W!T:6]N('9A;'5E/2(Q,R(@;&%B96P](E1R86-K(#$S(CY'<F5A="!7
M:&ET92!!;F=E;#PO;W!T:6]N/@T*"0D\;W!T:6]N('9A;'5E/2(Q-"(@;&%B
M96P](E1R86-K(#$T(CY*=7-T($]V97(@:6X@2&5A=F5N/"]O<'1I;VX^#0H)
M"3PO;W!T9W)O=7 ^#0H)/"]S96QE8W0^#0H)/&EN<'5T('1Y<&4](G-U8FUI
M="(@=F%L=64](D=E="!)="$B('1A8FEN9&5X/2(R(CX-"@D\+W ^#0H\+V9O
M<FT^#0H-"CQD:78@8VQA<W,](F-E;G1E<B(^#0H\=&%B;&4^#0H)/'1R/@T*
M"0D\=&@@8VQA<W,](G-O;F=I;F9O(CY7<FET=&5N(&)Y.CPO=&@^#0H)"3QT
M9"!C;&%S<STB<V]N9VEN9F\B/CP_(&5C:&\@)&YE=S4[(#\^/"]T9#X-"@D\
M+W1R/@T*"3QT<CX-"@D)/'1H(&-L87-S/2)S;VYG:6YF;R(^3&5N9W1H.CPO
M=&@^#0H)"3QT9"!C;&%S<STB<V]N9VEN9F\B/CP_(&5C:&\@)&YE=S0[(#\^
M/"]T9#X-"@D\+W1R/@T*"3QT<CX-"@D)/'1H(&-L87-S/2)S;VYG:6YF;R(^
M06QB=6TZ/"]T:#X-"@D)/'1D(&-L87-S/2)S;VYG:6YF;R(^/'-P86X@8VQA
M<W,](F%L8G5M(CX\/R!E8VAO("1N97<R.R _/CPO<W!A;CXL(%1R86-K(#P_
M(&5C:&\@)&YE=S,[(#\^/"]T9#X-"@D\+W1R/@T*"3QT<CX-"@D)/'1H(&-L
M87-S/2)S;VYG:6YF;R(^4&%R=',Z/"]T:#X-"@D)/'1D(&-L87-S/2)S;VYG
M:6YF;R(^/' ^/#\@96-H;R D;F5W-CL@/SX\+W ^/"]T9#X-"@D\+W1R/@T*
M/"]T86)L93X-"CPO9&EV/@T*#0H\:'(^#0H\<"!C;&%S<STB8V5N=&5R(CX-
M"CP_(&9O<B H)&D@/2 W.R D:2 \('-I>F5O9B@D:6YF;RD[("1I*STQ*0T*
M>PT*"65C:&\@;FPR8G(H)&EN9F];)&E=*3L-"GT-"C\^#0H\+W ^#0H\+V)O
,9'D^#0H\+VAT;6P^
`
end

begin 666 1.dat
M22=L;"!+965P(&]N(%-A:6QI;F<-"D1O>6QE($QA=W-O;B F(%%U:6-K<VEL
M=F5R#0I*=7-T(&]V97(@:6X@2&5A=F5N#0HQ#0HR.C,S#0I*86UI92!$86EL
M97D@86YD($1O>6QE($QA=W-O;@T*1&]Y;&4@3&%W<V]N("TM(&UA;F1O;&EN
M+"!L96%D('9O8V%L.T1A;&4@4&5R<GD@+2T@8F%N:F\L(&)A<W,@=F]C86P[
M2F%M:64@1&%I;&5Y("TM(&)A<W,L(&QE860@=F]C86P@*'9E<G-E<RDL('1E
M;F]R('9O8V%L("AC:&]R=7,I.T1O=6<@0F%R=&QE='0@+2T@9FED9&QE+"!B
M87)I=&]N92!V;V-A;#M"87)R>2!38V]T=" M+2!G=6ET87(-"DDG;2!S86EL
M:6YG(&]N(&QI9F4G<R!R:79E<B!O9B!S;W)R;W<-"DIU<W0@=')Y:6YG('1O
M(&ME97 @;7D@:&5A9"!A8F]V92!T:&4@<F%G:6YG('=A=&5R#0I))VQL(&ME
M97 @;VX@<')A>6EN9R!A;&]N9R!T:&4@=V%Y#0I5;G1I;"!)(&QA;F0@;VX@
M:&5A=F5N)W,@<VAO<F4@9F]R979E<B!T;R!S=&%Y#0H-"DDG;&P@:V5E<"!O
M;B!S86EL:6YG+"!S86EL:6YG+"!S86EL:6YG+"!S86EL:6YG+"!S86EL:6YG
M+"!S86EL:6YG(&%L;VYG#0I5;G1I;"!M>2!,;W)D(&-O;65S(&)A8VL@86YD
M($AE('=I;&P@=&%K92!M>2!T;R!M>2!H96%V96YL>2!H;VUE#0I))VQL(&ME
M97 @;VX@<VEN9VEN)RP@<VAO=71I;B<L(&=I=FEN)R!P<F%I<V5S#0I/:"P@
M:&]W('1H92!H96%V96YS('=I;&P@<FEN9PT*5VAE;B!W92!G871H97(@=7 @
M:6X@:&5A=F5N('=I=&@@0VAR:7-T(&]U<B!+:6YG#0H-"DEF('EO=2!S964@
M;64@<V%I;&EN9RP@=V]N)W0@>6]U(&9O;&QO=R!M90T*06YD(&=I=F4@>6]U
M<B!H96%R="!A;F0@<V]U;"!T;R!T:&4@3VYE('=H;R!S970@>6]U(&9R964_
M#0I(:7,@;&]V92=S('5N96YD:6YG+"!A<R!%87-T('1O(%=E<W0-"D=E="!A
M8F]A<F0@=VET:"!M92!A<R!)('-A:6P@;VX@=&\@82!H879E;B!O9B!R97-T
M#0H-"DDG;&P@:V5E<"!O;B!S86EL:6YG+"!S86EL:6YG+"!S86EL:6YG+"!S
M86EL:6YG+"!S86EL:6YG+"!S86EL:6YG(&%L;VYG#0I5;G1I;"!M>2!,;W)D
M(&-O;65S(&)A8VL@86YD($AE('=I;&P@=&%K92!M>2!T;R!M>2!H96%V96YL
M>2!H;VUE#0I))VQL(&ME97 @;VX@<VEN9VEN)RP@<VAO=71I;B<L(&=I=FEN
M)R!P<F%I<V5S#0I/:"P@:&]W('1H92!H96%V96YS('=I;&P@<FEN9PT*5VAE
M;B!W92!G871H97(@=7 @:6X@:&5A=F5N('=I=&@@0VAR:7-T(&]U<B!+:6YG
M#0H-"DDG;&P@:V5E<"!O;B!S86EL:6YG+"!S86EL:6YG+"!S86EL:6YG+"!S
M86EL:6YG+"!S86EL:6YG+"!S86EL:6YG(&%L;VYG#0I5;G1I;"!M>2!,;W)D
M(&-O;65S(&)A8VL@86YD($AE('=I;&P@=&%K92!M>2!T;R!M>2!H96%V96YL
M>2!H;VUE#0I))VQL(&ME97 @;VX@<VEN9VEN)RP@<VAO=71I;B<L(&=I=FEN
M)R!P<F%I<V5S#0I/:"P@:&]W('1H92!H96%V96YS('=I;&P@<FEN9PT*5VAE
M;B!W92!G871H97(@=7 @:6X@:&5A=F5N('=I=&@@0VAR:7-T(&]U<B!+:6YG
M#0I7:&5N('=E(&=A=&AE<B!U<"!I;B!H96%V96X@=VET:"!#:')I<W0@;W5R
5($MI;F<@*$QO<F0@86YD($MI;F<I
`
end


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php