1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Using a $variable within an include

Discussion in 'Web Design & Development' started by dmurfitt, Jan 20, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. dmurfitt

    dmurfitt Thread Starter

    Joined:
    Nov 27, 2002
    Messages:
    618
    I am passing variables within hyper links, so for example if the link was colour.php?colour=red and I used this php code within colour.php
    Code:
    <?php include "$colour" . '.inc.htm';?>
    someone could hijack the page. Butis it still unsafe if at the top of colour.php I declare the variable $colour? Surely, if someone trys to change the value of the variable it would be changed/reset by the code at the top?

    Thanks,
    Dan
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Where's the code that sets the value of $colour? If your code doesn't set it to $_GET['colour'] or $_REQUEST['colour'] there should be no problem (unless you're PHP installation is insecure and has register globals set to on.
     
  3. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    All you need to do is test the variable $colour before you do anything with it. If its syntax/contents don't match an approved list and/or set of rules, you redefine it to some default value before using it.

    You should always do this with any insecure variable that arrives at your script anyway.
     
  4. dmurfitt

    dmurfitt Thread Starter

    Joined:
    Nov 27, 2002
    Messages:
    618
    Basically I'm making some online assessments and at the top of the script there's something that figures out the users type by what they have answered. So there are if statements that basically say if question 1 and question 2 are this then $type is this. Therefor by the time the php engine reaches the include the variable $type would have already been set. Does this still apply if the users puts something like type.php?type=hijacked because although you are saying the $type is 'hijacked', the top part of the script will change the type depending on the answers from the form anyway. I'm really sorry I hope this makes sesne :)
     
  5. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Yes, but you could just stop $type from being hijacked in the first place. If type.php?type=blah is changing the value of $type, you've probably got register globals turned on (see the link I posted above.)
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435649

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice