Re[2]: set variables based on HTTP_HOST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Joe,

Tuesday, August 9, 2005, 12:57:17 AM, you wrote:


JS> // call the include header file for that host
JS> if (file_exists("$includepath/$Header")) {            // include valid?
JS>         include stripslashes("$includepath/$Header"); // yup, include
JS> } else {
JS>         echo "FAILURE MESSAGE OF SOME SORT";          // nope
JS>         exit;
JS>         }

?>>

JS> (rest of page)

JS> I figure I can get a regexp in there somehow so I don't need two
JS> entries for the main domain.com and it's www c name, either... need to
JS> add that.

You can just do this:

switch ($_SERVER['HTTP_HOST'])            // check hostname
{
       case 'www.domain.com':
       case 'domain.com':                // define host
              $Header = '/inc/main.header.inc'; // define header file
              break;                    // next
}

Stack 'em up as much as you need.

JS> I'm also sort of paranoid about unchecked includes in PHP and
JS> getting compromised--is doing a check like I am here for the
JS> include file's existence worthwhile or even useful to protect
JS> against possible problems?

You're not doing an un-checked include - it's definitely checked.

You've pre-defined the $includepath at the start of your script, so
no-one can over-write this. You've forced $header to be one of the
switch options and *nothing* else. So those two things are certainly
clean.

If someone manages to inject bogus variables into your
$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
about than your code :) (i.e. someone has compromised your server) but
with your switch block and pre-set values even if they had managed
that, you'd still only ever include a valid header.

You have to draw the line somewhere with security - nothing will ever
be 100% safe because there are so many chains in the loop (firewall,
network, server, apache, php, etc). I would say that as it stands
you've done the best you can for this little section of code, but
perhaps some others might post more ideas if they have them.

Best regards,

Richard Davey
-- 
 http://www.launchcode.co.uk - PHP Development Services
 Zend Certified Engineer
 "I do not fear computers. I fear the lack of them." - Isaac Asimov

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux