PDA

View Full Version : Whats wrong?



Tabo
04-21-2007, 10:39 AM
I have this code to include a page:



<?
if ($type == "php"){
define('PATH', '/home/www/fdggfd3.100webspace.net/hg/');
}

elseif ($type == "html"){
define('PATH', 'http://fdggfd3.100webspace.net/hg/');
}

elseif ($type == "htm"){
define('PATH', 'http://fdggfd3.100webspace.net/hg/');
}

elseif (!$type){
define('PATH', '/home/www/fdggfd3.100webspace.net/hg/');
}

$langs = array(
'EN', // default lang
'FR',
'IT',
'DE',
'SP');
$types = array(
'php',
'html', // default type
'htm',
);

$page = isset($_GET['page']) && ctype_alnum($_GET['page']) ? $_GET['page'] : 'default_page';
$lang = isset($_GET['lang']) && in_array($_GET['lang'], $langs) ? $_GET['lang'] : $langs[0];
$type = isset($_GET['type']) && in_array($_GET['type'], $types) ? $_GET['type'] : $types[0];

$filename = PATH . "{$page}_$lang.$type";

if (is_readable($filename))
{
include $filename;
}
else
{
if (!headers_sent())
{
header('HTTP/1.1 404 Not Found');
}

echo '<h3>404 Page Not Found</h3>';
}
?>


However i allways get a 404 message. Please help.

boxxertrumps
04-21-2007, 01:39 PM
does the file your trying to include exists?

Tabo
04-21-2007, 07:38 PM
Yes it does.

Twey
04-21-2007, 07:46 PM
The problem is that the file isn't readable.

We've no idea what caused that, of course, since we don't have any clue as to what the final path is actually supposed to look like.

When asking for help on a script, please give all the information involved. That means all variables defined ($type is used without being defined here), what the expected output or final values of variables (in this case, especially $filename) are, what the actual output or final values of variables are, any errors or warnings produced (call error_reporting(E_ALL) at the top of your script; this would have warned you about the non-existence of $type), what tests you've run with what values passed, and what output you got from each of those.

You also have a big security hole there that allows a user to execute as PHP any file with an underscore and a dot somewhere in the path.