If you need assistance, please send an email to forum at 4hv dot org. To ensure your email is not marked as spam, please include the phrase "4hv help" in the subject line. You can also find assistance via IRC, at irc.shadowworld.net, room #hvcomm.
Support 4hv.org!
Donate:
4hv.org is hosted on a dedicated server. Unfortunately, this server costs and we rely on the help of site members to keep 4hv.org running. Please consider donating. We will place your name on the thanks list and you'll be helping to keep 4hv.org alive and free for everyone. Members whose names appear in red bold have donated recently. Green bold denotes those who have recently donated to keep the server carbon neutral.
Special Thanks To:
Aaron Holmes
Aaron Wheeler
Adam Horden
Alan Scrimgeour
Andre
Andrew Haynes
Anonymous000
asabase
Austin Weil
barney
Barry
Bert Hickman
Bill Kukowski
Blitzorn
Brandon Paradelas
Bruce Bowling
BubeeMike
Byong Park
Cesiumsponge
Chris F.
Chris Hooper
Corey Worthington
Derek Woodroffe
Dalus
Dan Strother
Daniel Davis
Daniel Uhrenholt
datasheetarchive
Dave Billington
Dave Marshall
David F.
Dennis Rogers
drelectrix
Dr. John Gudenas
Dr. Spark
E.TexasTesla
eastvoltresearch
Eirik Taylor
Erik Dyakov
Erlend^SE
Finn Hammer
Firebug24k
GalliumMan
Gary Peterson
George Slade
GhostNull
Gordon Mcknight
Graham Armitage
Grant
GreySoul
Henry H
IamSmooth
In memory of Leo Powning
Jacob Cash
James Howells
James Pawson
Jeff Greenfield
Jeff Thomas
Jesse Frost
Jim Mitchell
jlr134
Joe Mastroianni
John Forcina
John Oberg
John Willcutt
Jon Newcomb
klugesmith
Leslie Wright
Lutz Hoffman
Mads Barnkob
Martin King
Mats Karlsson
Matt Gibson
Matthew Guidry
mbd
Michael D'Angelo
Mikkel
mileswaldron
mister_rf
Neil Foster
Nick de Smith
Nick Soroka
nicklenorp
Nik
Norman Stanley
Patrick Coleman
Paul Brodie
Paul Jordan
Paul Montgomery
Ped
Peter Krogen
Peter Terren
PhilGood
Richard Feldman
Robert Bush
Royce Bailey
Scott Fusare
Scott Newman
smiffy
Stella
Steven Busic
Steve Conner
Steve Jones
Steve Ward
Sulaiman
Thomas Coyle
Thomas A. Wallace
Thomas W
Timo
Torch
Ulf Jonsson
vasil
Vaxian
vladi mazzilli
wastehl
Weston
William Kim
William N.
William Stehl
Wesley Venis
The aforementioned have contributed financially to the continuing triumph of 4hv.org. They are deserving of my most heartfelt thanks.
Registered Member #32
Joined: Sat Feb 04 2006, 08:58AM
Location: Australia
Posts: 549
Uzzors wrote ...
Your simple fix prevents that from happening too, c4r0, I think I'm going to have to rename my files and employ it. Who knows what else might turn up!
That's the right kind of attitude. When people point out issues like that, they're really saying, "Your site is abusable enough for this to happen," instead of, "Here's a specific bug to fix," which is what many people read it as, unfortunately.
First off, I'll say I'd do what Matt suggested (far less breakable), but if I were to go along with how you're doing things, I'd have the code strip all non-alphanumeric characters from the input before using it. (It's some time since I've coded PHP but there should be a command similar to AWK's gsub.) Then I'd have the code check against a limited list of allowed pages to load. (An associative array could do this nicely.)
A fundamental security commandment is, "Thou shalt not execute user input." Doing an include on a user inputed string is equivalent to executing arbitrary user input. (This is one reason why I'd prefer Matt's method.) Putting the input through an associative array means only internally generated strings are executed.
Registered Member #143
Joined: Sat Feb 11 2006, 04:25PM
Location: Austin TX, NorAm, Sol III
Posts: 28
I know its been a while since anyone posted to this thread, but since I did my website in PHP I thought I'd share some helpful info.
First of all, you guys might want to use require_once() instead of include() to add files to the page. This way, you only include a particular file one time, even if you call it specifically more than once accidentally (e.g., one particular article).
For testing to see if a particular file is there, use file_exists() in an if statement. I did this for the site I made for my son. Index.php includes a "body" file. Page0.php is the default "main" page, and the pages increment from there. I use numbered pages because I wrote a "prev -- main -- next" auto-link function for it so you can go to any page from main, or go to the next/prev page from the page you are currently on. It checks to see if next page exists, and if it doesn't then "next" is not a link (i got tired of changing the max page count variable every time my wife added a new page ;).
hmmm ... this editor is adding ; before all the < symbols in the code instead of converting them to <.
I set $path to the full filepath for the site at the top to keep the require_once() function calls short enough for one line. menu- and foot.php are both static files used on every page, while pageN.php (where N is the number) are the pages only used for this particular site.
I'm using style sheets (CSS2.1) to do the layout (title at top, menu on the right, main body left of the menu). Check out the Position is Everything website for some good tips.
Oh, and I use vim (CLI text editor) on my linux box (I run my own server) and vim for windows on the XP gaming machine. ;)
This site is powered by e107, which is released under the GNU GPL License. All work on this site, except where otherwise noted, is licensed under a Creative Commons Attribution-ShareAlike 2.5 License. By submitting any information to this site, you agree that anything submitted will be so licensed. Please read our Disclaimer and Policies page for information on your rights and responsibilities regarding this site.
PHP website design
