Richard Davey wrote:
Hello Joe,
Tuesday, August 9, 2005, 12:57:17 AM, you wrote:
JS> // call the include header file for that host
JS> if (file_exists("$includepath/$Header")) { // include valid?
JS> include stripslashes("$includepath/$Header"); // yup, include
JS> } else {
JS> echo "FAILURE MESSAGE OF SOME SORT"; // nope
JS> exit;
JS> }
?>>
JS> (rest of page)
JS> I figure I can get a regexp in there somehow so I don't need two
JS> entries for the main domain.com and it's www c name, either... need to
JS> add that.
You can just do this:
switch ($_SERVER['HTTP_HOST']) // check hostname
{
case 'www.domain.com':
case 'domain.com': // define host
$Header = '/inc/main.header.inc'; // define header file
break; // next
}
Stack 'em up as much as you need.
JS> I'm also sort of paranoid about unchecked includes in PHP and
JS> getting compromised--is doing a check like I am here for the
JS> include file's existence worthwhile or even useful to protect
JS> against possible problems?
You're not doing an un-checked include - it's definitely checked.
You've pre-defined the $includepath at the start of your script, so
no-one can over-write this. You've forced $header to be one of the
switch options and *nothing* else. So those two things are certainly
clean.
If someone manages to inject bogus variables into your
$_SERVER['HTTP_HOST'] element then you've got bigger things to worry
about than your code :) (i.e. someone has compromised your server) but
with your switch block and pre-set values even if they had managed
that, you'd still only ever include a valid header.
You have to draw the line somewhere with security - nothing will ever
be 100% safe because there are so many chains in the loop (firewall,
network, server, apache, php, etc). I would say that as it stands
you've done the best you can for this little section of code, but
perhaps some others might post more ideas if they have them.
Best regards,
Richard Davey
Security-wise, you can't count on $_SERVER['HTTP_HOST'] , it is passed
to PHP by Apache, but Apache is just passing through the user-supplied
Host header.
So don't depend on that for any security related information (like
restricting logins), but, if it's jsut page layout, and they are all
similarly accessible site, that shouldn't be a problem.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php