Dynamic content problem over directories

[PHPete]

Firstly, I'd just like to say hello, seeing as this is my first post.

I've had a look about and I think I'm going to enjoy my stay here.

 

Now, here's my problem.

 

I'm using $_GET to power dynamic-content.

 

<?php
  //creates page variable
  $page = isset($_GET['page']) ? $_GET['page'] : 'home';
?>

 

<?php
        //checks if there is content for the chosen
        if(file_exists('content/'.$page.'.php'))
        {
          //if there is, it is included
          include('content/'.$page.'.php');
        }
        else
        {
          if(file_exists('content/404.php'))
          {
            //if their wasn't any content
            include('content/404.php');
          }
        }
?>

 

So say, for example, I have "Hello World!" in a file called helloworld.php and I go to websiteurl.com/helloworld (I've set up .HTACCESS to ignore "index.php?page=")

The "Hello World!" would display fine.

 

The problem I'm having is if someone tries an url like this:

websiteurl.com/directory/file

 

It will display the content for the default (in this case home, since that's what I set it to at the start) in the directory. This means there is no styling and I run into a whole load of problems after that.

 

So, that's my problem.

Does anyone know how I would solve this? I'm unsure if it's because of the .HTACCESS or the way the PHP is being used.

I'd also like to know if there are any other security flaws with this code?

 

I'm also sorry if I've been unclear or if my sentences don't make sense (it's rather later and I'm not sleeping lately)

And lastly, I'm sorry if I've broken any forum rules, since this is my first post I'm a little weary.

 

Thanks a lot guys.

Pete.

[fugix]

firstly, i found your post on another site http://www.touchofdeathforums.com/smf/index.php?topic=62072.0

thought that was interesting...

1. what happens when you add a specific directory..

2. what does your .htaccess look like

 

[PHPete]

firstly, i found your post on another site http://www.touchofdeathforums.com/smf/index.php?topic=62072.0

thought that was interesting...

1. what happens when you add a specific directory..

2. what does your .htaccess look like

 

Interesting in a good way? It's rather old and I did some things in an odd manner.. but it's still somewhat correct xD

 

1: It happens whether the directory exists or not.

2:

#Hide directories
IndexIgnore *

#URL Rewrite
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^\.]+)$ index.php?page=$1 [NC,L]
</IfModule>

[PHPete]

The problem I'm having is if someone tries an url like this:

websiteurl.com/directory/file

 

It will display the content for the default 404 content. in the directory. This means there is no styling and I run into a whole load of problems after that.

 

CORRECTION:

It shows the 404 content.

 

Not sure if that actually makes a difference. xD

[PHPete]

I hate to bump, but it was on the second page and I'm still not sure how to fix this. ><

[xyph]

You want to sanitize incoming data.

 

Here's a great tutorial on it if you're runnig PHP >= 5.2

 

http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/

 

After that, simply echo $_GET['page'] at the start of your script (after sessions and cookies, of course) and take a look at what's outputting, and why it might be affecting your script

[PHPete]

You want to sanitize incoming data.

 

Here's a great tutorial on it if you're runnig PHP >= 5.2

 

http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/

 

After that, simply echo $_GET['page'] at the start of your script (after sessions and cookies, of course) and take a look at what's outputting, and why it might be affecting your script

 

I tried (I think regex) on it to ignore slashes, I couldn't figure it out.

I'll take a look at the link, thanks.

[xyph]

You pretty much want to have an array CORRECT pages to compare against.

 

$list = array('home','contacts','helloworld');

 

if( in_array($list, $_GET['page']) )

  include($_GET['page'].'.php';

else

  include('404.php');

[PHPete]

Here's a live example, I'm having trouble explaining.

 

http://pete-murray.co.uk/

Valid site. Links all work.

 

http://pete-murray.co.uk/random/url

Breaks it.

 

It's because of the slash in the URL but I don't know how to go about fixing it.

[derwert]

Your style sheets are set to a relative path, change them to an absolute path

 

<link rel="stylesheet" type="text/css" href="/style/main.css">
<link rel="stylesheet" type="text/css" href="/style/menu.css">

[PHPete]

Your style sheets are set to a relative path, change them to an absolute path

 

<link rel="stylesheet" type="text/css" href="/style/main.css">
<link rel="stylesheet" type="text/css" href="/style/menu.css">

 

Don't I feel stupid. XD

 

Are their any security issues with?:

<?php

        $page = isset($_GET['page']) ? $_GET['page'] : 'home';

        //checks if there is content for the chosen
        if(file_exists('content/'.$page.'.php'))
        {
          //if there is, it is included
          include('content/'.$page.'.php');
        }
        else
        {
          if(file_exists('content/404.php'))
          {
            //if their wasn't any content
            include('content/404.php');
          }
        }
?>

[derwert]

The main issue you need to worry about with that code is what's called directory traversal, i.e. a user using ../ to include files from other directories, given the right circumstances this can be a big security risk. In older versions of PHP you used to also be able to use a null character to disable the required '.php' in the code, honestly I haven't tried with newer versions so can't say if that is still possible. Re-read xyph post, I'm with him, I prefer to have a whitelist of allowed pages instead of trying to look for the bad behavior in the code.