Oh, nevermind >.< You could try removing the unnecessary curly parentheses around the IF-ELSE statement, because you are only executing one line of code per conditional.
I took your suggestion and it still isn't working 
I first removed the brackets around the ELSE, then I took it off the IF. No luck on both counts.
I first removed the brackets around the ELSE, then I took it off the IF. No luck on both counts.
There are two types of people in the world: those who can extrapolate data from incomplete data
Valid point.
Code:
Surrounding tags to add location.
Code:
<body>
<?php $crid = $_GET['id']; ?>
<div id="header">
Surrounding tags to add location.
There are two types of people in the world: those who can extrapolate data from incomplete data
You absolutely must sanitise user input before using it as a file path (hint: what happens if you put ../../../copyright in the input field?)
Edit: What do your IDs look like? A regular expression to check for valid characters should be sufficient, as long as you do not allow any . or / characters in there!
Edit: What do your IDs look like? A regular expression to check for valid characters should be sufficient, as long as you do not allow any . or / characters in there!
Nothing happens. I get a <h3> stating "Error Retrieving Copyright."
My ID's are random. Something like dh6fx17 could be an ID.
Update: I've changed the IF ELSE to
Code:
Just an FYI, I've replaced the real path with 'path.'
My ID's are random. Something like dh6fx17 could be an ID.
Update: I've changed the IF ELSE to
Code:
if (file_exists('path/'.$crid.'.php'))
include('path/'.$crid.'.php');
else
include('path/generic.php'); Just an FYI, I've replaced the real path with 'path.'
There are two types of people in the world: those who can extrapolate data from incomplete data
comicIDIOT wrote:
Nothing happens. I get a <h3> stating "Error Retrieving Copyright."
I suggest you try it. It recursively includes copyright.php, and could do much worse if there were PHP scripts on the site that you didn't really want people to run.
Which characters are allowed in IDs? From your description preg_match('/^[a-z0-9]+$/', $_GET['id']) would work to check that the ID parameter only contained lowercase a-z, digits 0-9 and was at least one character long.
Oh weird. I don't get such a result, could be a webkit versus whatever Opera uses.
I'll be making the ID's on the fly, so I'd limit myself to alphanumeric characters. At one point I'll add a lowercase() function to make all uppercase text lowercase.
EDIT: Holy cow that picture is small.
I'll be making the ID's on the fly, so I'd limit myself to alphanumeric characters. At one point I'll add a lowercase() function to make all uppercase text lowercase.
EDIT: Holy cow that picture is small.
There are two types of people in the world: those who can extrapolate data from incomplete data
If I squint your screenshot indicates that you entered ../../../../copyright (i.e. up four directories), not up three directories as per the example. 
Either way, if you use the sample regular expression to validate the input you should be safer. Never trust the client!
Either way, if you use the sample regular expression to validate the input you should be safer. Never trust the client!
Oh. Wow. That's so odd. I was able to replicate that. I'll add the preg_match 
I don't think preg_match is what I'm looking for,. I tried preg_filter & preg_grep from php.com examples and documentation but both returned errors.
For the time being I have two echoes at the top that output what $crid is at at any given step. So, I have now:
Code:
UPDATE: I'm not sure why it was important, but changing this first code block to the following code block, fixed the IF ELSE issue.
Code:
Code:
I don't think preg_match is what I'm looking for,. I tried preg_filter & preg_grep from php.com examples and documentation but both returned errors.
For the time being I have two echoes at the top that output what $crid is at at any given step. So, I have now:
Code:
<?php
$crid = $_GET['id'];
echo $crid;
$crid = preg_match('/^[a-z0-9]+$/', $crid);
echo $crid;
?>UPDATE: I'm not sure why it was important, but changing this first code block to the following code block, fixed the IF ELSE issue.
Code:
<h3>Generic Copyright</h3>
<p>This page is still under construction.</p>Code:
<h3>Generic Copyright</h3>
<p>
This page is still under construction.
</p>
There are two types of people in the world: those who can extrapolate data from incomplete data
Yeah, that was going to be my next point: you're (you were?) basically letting the user specify arbitrary PHP scripts to be executed without sanitation, which is a very bad idea.
I still am. I can't figure out preg_filter or preg_grep (from php.net documentation) as both seem to output an array, not a flat variable.
Any ideas?
Any ideas?
There are two types of people in the world: those who can extrapolate data from incomplete data
preg_match() returns the number of times the pattern matches the supplied string, but stops after the first match. It therefore returns 0 on no matches, and 1 on at least one match.
Completely untested, but I'd probably structure it something like this:
Code:
Completely untested, but I'd probably structure it something like this:
Code:
<?php
if (isset($_GET['id'])) {
# An ID has been specified. Check that it is valid and the file exists.
$crid = $_GET['id'];
if (preg_match('/^[a-z0-9]+$/', $crid) && file_exists('path/' . $crid . '.php')) {
# It's valid and exists; include it.
include('path/' . $crid . '.php');
} else {
# Display an error message and display the generic copyright anyway.
echo '<h3>Error Retrieving Copyright</h3><p>No Copyright matches the Unique Identifier. Please double check the ID, if it is correct, please contact Alex Glanville.</p>';
include('path/generic.php');
}
} else {
# No ID has been specified; display the generic copyright.
include('path/generic.php');
}
?>
Oh! I see how that works.
If it doesn't work right away, I'm sure I could figure out how to fix it.
Thanks Ben!
If it doesn't work right away, I'm sure I could figure out how to fix it.
Thanks Ben!
There are two types of people in the world: those who can extrapolate data from incomplete data
Register to Join the Conversation
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Advertisement