Loading ...
Sorry, an error occurred while loading the content.

7624php syntax mistake?

Expand Messages
  • Jonathan Woodbridge.com
    Jan 22, 2007
    • 0 Attachment
      I'm trying to edit very simple old php code in an html page that includes
      other files, such as header, body, menu and footer. Unfortunately, the file
      is now being hacked to send spam, it seems because the variable that is
      INCLUDEd to display the page content is not checked before it is run, hence
      other code can be injected into it and run other processes on other servers.

      The modification I'm trying to make is quite simple, to read from an array
      of legitimate pages and only run the include if the content occurs in this
      array. However, the new file will not run, it simply looks for data and
      times out. I think I am probably making a simple syntax error, but cannot
      find it. Can anyone help?

      old code (works but insecure) ==================

      <?php
      /* Time for some comments about the code.
      This is the main page. It works as a frame for the whole site. It keeps the
      basic structure:
      1- head
      2- leftmenu
      3- body
      4- footer
      1,2,and 4 are fixed, so they never chage. I keep them in separate .part
      files to keep this page smaller and easier to mantain.
      The body (3) gets loades thru the "pagina" variable. All pages are plain
      text files with HTML and CSS codes vut not structure (is, it's just the body
      nothing else)
      All pages contain many comments, I'm afraid all of them in Spanish ;).
      */
      echo "<div class=\"cabeza\">";
      include 'cabeza.part';
      echo "</div>";
      echo "<div class=\"cuerpo\">";
      echo "<div class=\"lateral\">";
      include 'menu.part';
      echo "</div>";
      echo "<div class=\"centro\">";
      // Si no existe página, ponemos la página primcipal
      if (!$pagina){
      $pagina="home";
      }
      include "$pagina";
      echo "</div></div>";
      echo "<div class=\"pie\">";
      include 'pie.part';
      echo "</div>";
      ?>


      new code (does not work) ================


      <?php
      /* Time for some comments about the code.
      This is the main page. It works as a frame for the whole site. It keeps the
      basic structure:
      1- head
      2- leftmenu
      3- body
      4- footer
      1,2,and 4 are fixed, so they never chage. I keep them in separate .part
      files to keep this page smaller and easier to mantain.
      The body (3) gets loades thru the "pagina" variable. All pages are plain
      text files with HTML and CSS codes vut not structure (is, it's just the body
      nothing else)
      All pages contain many comments, I'm afraid all of them in Spanish ;).
      */
      echo "<div class=\"cabeza\">";
      include 'cabeza.part';
      echo "</div>";
      echo "<div class=\"cuerpo\">";
      echo "<div class=\"lateral\">";
      include 'menu.part';
      echo "</div>";
      echo "<div class=\"centro\">";
      //mod by JW on Jan 18 07 - check that pagina variables are legitimate by
      comparing with list of ok pages
      $pagina=array("accomp2004", "blanco", "cabeza", "comotrabaja", "contact",
      "cuerpo", "docshist", "gallery", "globali", "guatereports", "historia",
      "home", "impuni", "mandato", "orgs", "menu", "pie", "tierra", "trabajo2003",
      "vols");

      //check $page variable called is in ok page array above
      $valid=false;
      for ($i=0; $i<sizeof($pagina) || !$valid; $i++) {
      if ($pagina==$pagina[$i]) {
      $valid=true;
      }
      }
      if ($valid) include ("$pagina");
      if (!$valid) include(home); // include the main page if not valid

      echo "</div></div>";
      echo "<div class=\"pie\">";
      include 'pie.part';
      echo "</div>";
      ?>

      thanks!

      Jonathan
    • Show all 5 messages in this topic