My Security Anecdote
In the summer of 2006, I revamped my company's Web site (www.DMCInsights.com), using a modularized layout, to a small extent. Literally the first night the new version of the site went live, someone tried hacking the server by changing URLs like about.php?i=phpmysql2 into about.php?i=http://somesite.com/ file.txt. The file.txt script on that other server contained PHP code that would reveal every file on my server. Had it run, my site's security would have been compromised.
The attempt did not work for two reasons. First, I was smart about validating my $_GET['i'] data, associating proper values to scripts. Second, I was careful about how files were included. Just as important, though, was the error reporting I had implemented. As the site was live, the user saw nothing informative when they tried to include an invalid file but I was notified via email of the attempt.
6. Confirm that the module file exists. if (!file_exists('./modules/' . ^ $page)) {
$page = 'main.inc.php'; $page_title = 'Site Home Page';
This isn't absolutely necessary as long as the right module file exists for each case in the switch. However, including this code provides an extra layer of security.
7. Include the header file. include_once
This is the start of the HTML template.
8. Include the module.
This brings in all the specific content.
9. Include the footer file. include_once
This completes the HTML template.
11. Save the file as index.php and place it in your Web directory.
You can't test it until you've created some of the content modules (at least main.inc.php).
Post a comment