11 Re: Decent But...

Marty M,

The downloadable source code shows the system in action, which should make the menu more sensible, and it is live and functioning here:

http://www.grographics.com/PHPSource/

I added these two lines to template.php for security reasons:

$page = str_replace(’/’,’‘,$page);

<?php error_reporting(0); ?>

(see my previous post via Paul Burney <http://paulburney.com> for explanation )

Chris

(and thanks, most people say I have a rather Flabby But)

posted at 10:24 pm on August 8, 2002 by Christopher Robbins

12 thank god for ala

i had been pondering taking my .asp site and changing it to a .php site instead. all my dippy questions have now been answered and i think my weekend is also now taken care of.

many thx

posted at 02:38 am on August 9, 2002 by burtware

13 Quotes

The quotes in the following code:

<?php echo “<style type=\“text/css\” media=\“all\”>@import \”$style.css\”;> </style>”; ?>

may not be replaced with “ and ”. Quotes within HTML tags or PHP code must be regular quotes; only quotes that are part of copy should be written as “ and ”

posted at 06:55 am on August 9, 2002 by eMenendez

14 Where can I try this out?

I am interested in learning PHP, but my website’s current host does not offer PHP support.

Aside from changing host servers, can anyone tell me where I might be able to try my hand at authoring PHP pages for free in a live environment?

posted at 02:28 pm on August 9, 2002 by Ron C

15 Local PHP Development

Ron C: You could try installing Apache/PHP on your own computer (or PHP with another web server, but Apache is what I recommend). There are instructions on the web for doing this and a basic installation isn’t that difficult to achieve. The alternative would be to find a free web host that supports PHP. They do exist. I know from past experience that Evolt.org offers its members web hosting with PHP capabilities for the purpose of learning & practising the web development, along with a wealth of articles about web dev.

posted at 04:12 pm on August 9, 2002 by Linus

16 More on Security and Register Variables

Christopher mentions the use of a cookie to store user preferences, and accessing it directly through var $cookieName. However, in the most recent builds of PHP, these values are no longer directly accessible because of the security risk of an attacker setting variables directly by passing them in the request.

So, on 4.2 or later builds of PHP, you’ll want to use the $_COOKIE[], $_GET[], and $_POST[] arrays to get styleCookie and page. And you’ll want to untaint any values you pull from the arrays.

Following up on skye’s method for preventing an attacker from including an off-server page, I’d suggest creating an php object which generates the array of legal pages (via a directory traversal) or reads a site map file with the set of allowed pages. Of course, you pay a penalty in performance since the map has to be loaded and parsed with every invocation. — PHP really needs the notion of an Application-level object.

— whump

posted at 04:42 pm on August 9, 2002 by Bill Humphries

17 Alternate stylesheets

I’m wondering if anyone else had trouble getting the browser to recognize the alternate stylesheets? I’m using Moz 1.1a and it doesn’t see them.

posted at 05:11 pm on August 9, 2002 by Alex Morales

18 Alternate Page Test

I spent a few minutes thinking about on-the-fly include path validation and came up with:

<?php $file = $_GET[‘file’]; // untaint $file $file = str_replace (”/..”,”“,$file); $base = $_SERVER[‘DOCUMENT_ROOT’]; $path = $base . $file;

Which is intended to prevent any files off the server’s document path from being served.

When I try the obvious attack:

http://localhost/includeTest.php?file=../../../etc/passwd, the response is:

Looking for /Library/WebServer/Documents/etc/password.

Could not find /Library/WebServer/Documents/etc/password.

posted at 07:04 pm on August 9, 2002 by Bill Humphries

19 Alternate Page Test

I spent a few minutes thinking about on-the-fly include path validation and came up with:

<?php $file = $_GET[‘file’]; // untaint $file $file = str_replace (”/..”,”“,$file); $base = $_SERVER[‘DOCUMENT_ROOT’]; $path = $base . $file;

Which is intended to prevent any files off the server’s document path from being served.

When I try the obvious attack:

http://localhost/includeTest.php?file=../../../etc/passwd, the response is:

Looking for /Library/WebServer/Documents/etc/password.

Could not find /Library/WebServer/Documents/etc/password.

posted at 07:10 pm on August 9, 2002 by Bill Humphries

20 Ironically...

Ironically, the very idea of php (inlined code within a document) goes against the whole point of this article (separation of content and structure). Just thought I’d mention it ;)

posted at 07:27 pm on August 9, 2002 by Joseph F. Ryan