quite a securit hole :(

cdr560

well been working on a few php web sites lately adn run a linking system such as this:

    <?
						          if(isset($page)) {
 								$idpath = $page."/index.php";
						 	if (file_exists($idpath)) {
								 include($idpath);
							 	} else {
								 include('404.htm');
 					}
							               } else {
							 	include('content.php');
								 }
 								?>

(spacing and all got screwed for some reason :/ )

well anyway that will pull the index.php file from a folder that is passed though a variable in this manner: http://www.website.com?page=blahh will include blahh/index.php in the template and I like how this works however one thing I noticed is that well doing this allows .htaccess files requiring passwords to be bypassed. so if the folder blahh were to have a password on it the index.php file would be completely included without even asking for a password.

any help in either the form of a new way to link files into a template or a fix for this problem would be greatly appreciated

thanks 🙂

laserlight

Well, since that is your intended method of navigation, why not simply have a check if the directory is restricted?

You could enter the names of restricted directories into a database, then look it up before including the index file of that directory.

Of course there might be other ways, perhaps even like checking if there is a .htaccess file in that directory.

cdr560

but that still wouldnt let me use the htaccess file i could have it do either two of those and if they were true then redirect to main page or something but then i cant access that page with htaccess pass

do you have a better system for nav that you would reccomend?

ty for reply though

Weedpacket

You could use header("Location:...") instead of include("..."), which will cause the browser to request the page that is being asked for. Since it's a new request, .htaccess will apply.

And could you please use a bit more punctuation in your writing? Your second post is almost unreadable.

cdr560

Your right, punctuation is lagging a tad today. 😉

I will give the header("Location:...") a try.

thanks for the help

cdr560

Well it must be me, or the way I have everything formatted and arranged, but I cannot get header(...) working correctly the way I want it to. 🙁

Basically what I have is one template page with a cell in the center within which I include the seperate sub pages.

What is a good way to link these into an include that wont bypass the .htaccess when it grabs the content file out of a folder? Or is there any way I could try to plug the current security issue of bypassing the .htaccess files that I am having?

thanks for all the help guys 😉

laserlight

header() probably wont work then, since your template cant be implemented that way.

Actually, why do you need the .htaccess file for?
If it is simply to restrict users, you could also use PHP for that (though perhaps with less elegance), and simply create your nav system to accomodate such security.