TalkPHP - View Single Post - My portfolio

Evulness · 07-07-2008, 02:57 PM

It has been a long week. between trying to work all week with a migraine, to the 4th of july stuff... its been pretty hectic, so i haven't had much time to update anything.

oh wow thats weird. that makes it include its self? works like i was doing an include 'index.php'

Well, in short, this is my page handler

Code:

$page_path = str_replace("", "/", realpath(dirname(__FILE__))).'/Files/';
define('PAGE', $page_path);
$EvPage = $_GET['page'];  
if($EvPage){
        $Pagename = PAGE.$EvPage.'.php';
        if (file_exists($Pagename)) {
            include_once ($Pagename);}
else{ //Do my error handling}

which works rather well. i didn't know about the example you posted though.
i don't have my main security measures in place yet, because there really aren't any holes in it yet. not that i can see anyway. other than what you pointed out, but i don't see how that can be a security flaw, if you can't force it to try to include the files that aren't there.
i have a cleaning function i'm going to be using with the rest of the system, as well as session validation, encryption, error logging, etc...
i have a few test proceedures drawn up, to test my scripts for flaws, but i'm sure there is plenty of stuff i'm not looking for, aka Jims ../index inclusion. main thing i'm securing from from the get go, is all inputs (striping slashes, shell commands, injections, html) are cleaned, all supers, post, get, session, etc... are all cleaned on page load. when it comes down to it, i will be doing mime checking on file types, etc....

As it sits, the site is a basic templating system. the index handles everything. all i have to do is change my index.template page and the whole site changes. On site load, the template is initiated, if my checks are ok.
When you "Enter" from the splash it runs the checks. (the Splash page will be able to be disabled in user settings, when thats done)

i haven't put anything live on the site, that i haven't tested repeatedly on my 2 test servers. i have 2 boxes, beside this one, a linux server, and a windows server. (to help with cross server compatibility, etc). i've ran into a few instances where the code worked fine on the windows box, but failed on the linux box. (especialy with my mysql queries, my linux box doesn't like tills ( ` )'s)

Things are rolling along slowly, but i'm getting there :)

07-07-2008, 02:57 PM	#10 (permalink)
Evulness The Contributor Join Date: Apr 2008 Location: Tampa, FL Posts: 62 Thanks: 6	It has been a long week. between trying to work all week with a migraine, to the 4th of july stuff... its been pretty hectic, so i haven't had much time to update anything. oh wow thats weird. that makes it include its self? works like i was doing an include 'index.php' Well, in short, this is my page handler Code: $page_path = str_replace("", "/", realpath(dirname(__FILE__))).'/Files/'; define('PAGE', $page_path); $EvPage = $_GET['page']; if($EvPage){ $Pagename = PAGE.$EvPage.'.php'; if (file_exists($Pagename)) { include_once ($Pagename);} else{ //Do my error handling} which works rather well. i didn't know about the example you posted though. i don't have my main security measures in place yet, because there really aren't any holes in it yet. not that i can see anyway. other than what you pointed out, but i don't see how that can be a security flaw, if you can't force it to try to include the files that aren't there. i have a cleaning function i'm going to be using with the rest of the system, as well as session validation, encryption, error logging, etc... i have a few test proceedures drawn up, to test my scripts for flaws, but i'm sure there is plenty of stuff i'm not looking for, aka Jims ../index inclusion. main thing i'm securing from from the get go, is all inputs (striping slashes, shell commands, injections, html) are cleaned, all supers, post, get, session, etc... are all cleaned on page load. when it comes down to it, i will be doing mime checking on file types, etc.... As it sits, the site is a basic templating system. the index handles everything. all i have to do is change my index.template page and the whole site changes. On site load, the template is initiated, if my checks are ok. When you "Enter" from the splash it runs the checks. (the Splash page will be able to be disabled in user settings, when thats done) i haven't put anything live on the site, that i haven't tested repeatedly on my 2 test servers. i have 2 boxes, beside this one, a linux server, and a windows server. (to help with cross server compatibility, etc). i've ran into a few instances where the code worked fine on the windows box, but failed on the linux box. (especialy with my mysql queries, my linux box doesn't like tills ( ` )'s) Things are rolling along slowly, but i'm getting there :) __________________ "Knowledge is power. Abuse it."~Evulness My portfolio: www.evularts.com