|
Posted by Chris on 10/04/63 11:23
Richard Davey wrote:
>Hello Joe,
>
>Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
>
>
>JS> // call the include header file for that host
>JS> if (file_exists("$includepath/$Header")) { // include valid?
>JS> include stripslashes("$includepath/$Header"); // yup, include
>JS> } else {
>JS> echo "FAILURE MESSAGE OF SOME SORT"; // nope
>JS> exit;
>JS> }
>
>?>>
>
>JS> (rest of page)
>
>JS> I figure I can get a regexp in there somehow so I don't need two
>JS> entries for the main domain.com and it's www c name, either... need to
>JS> add that.
>
>You can just do this:
>
>switch ($_SERVER['HTTP_HOST']) // check hostname
>{
> case 'www.domain.com':
> case 'domain.com': // define host
> $Header = '/inc/main.header.inc'; // define header file
> break; // next
>}
>
>Stack 'em up as much as you need.
>
>JS> I'm also sort of paranoid about unchecked includes in PHP and
>JS> getting compromised--is doing a check like I am here for the
>JS> include file's existence worthwhile or even useful to protect
>JS> against possible problems?
>
>You're not doing an un-checked include - it's definitely checked.
>
>You've pre-defined the $includepath at the start of your script, so
>no-one can over-write this. You've forced $header to be one of the
>switch options and *nothing* else. So those two things are certainly
>clean.
>
>If someone manages to inject bogus variables into your
>$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
>about than your code :) (i.e. someone has compromised your server) but
>with your switch block and pre-set values even if they had managed
>that, you'd still only ever include a valid header.
>
>You have to draw the line somewhere with security - nothing will ever
>be 100% safe because there are so many chains in the loop (firewall,
>network, server, apache, php, etc). I would say that as it stands
>you've done the best you can for this little section of code, but
>perhaps some others might post more ideas if they have them.
>
>Best regards,
>
>Richard Davey
>
>
Security-wise, you can't count on $_SERVER['HTTP_HOST'] , it is passed
to PHP by Apache, but Apache is just passing through the user-supplied
Host header.
So don't depend on that for any security related information (like
restricting logins), but, if it's jsut page layout, and they are all
similarly accessible site, that shouldn't be a problem.
Chris
[Back to original message]
|