Hi there,

I've had my website hacked and setup as a spam engine. So I've decided to learn how to secure my PHP code which I never bothered about before.

Hoping that someone could help me out with this. is it secure?

<?php
// 
$page = $_GET['page'];
if ($page == "") {
$page="xxx.php";
}			// Sets Default Page To xxx.php
$valid_pages = array(
	"xxx.php"   => "",
	"zzz.php" => "",
	"yyy.php"    => "");

if (!isset($valid_pages[$page])) {
	// Abort the script
	die("404 - File not found");
} 
?>
// header stuffer

<?php include($page); ?>

// more stuff

I pass the $page value via the url from a html link like this;

<a href="http://www.mywebsitesomewhere.bla/?page=zzz.php">zzz</a>

It's secure provided register_globals is disabled - you may want to check for that throughout your application. I use something like

if (ini_set('register_globals')) { throw new Exception("register_globals must be disabled"); }

Or similar.

Mark

swebajen wrote:

if (!isset($valid_pages[$page])) {
	// Abort the script
	die("404 - File not found");
} 

It is a goode decision.

Same I so do(make).
However, hacker attacks by it are not limited. It is very good to touch all entrance variables ($ GET, $ POST, $ _COOKIE), and to search in them for dangerous codes.
Such systems are ready for PHP-NUKE, as in this system once was a lot of such vulnerabilities.
The some ready decission you can see on

http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1047

swebajen wrote:

die("404 - File not found");

If you're going to do that you might as well use a proper http header.

I've check the php settings with my server provider. and register_globals are on. so how would this make the code unsafe? and how could I make it safe?

//Swebajen :bemused:

Thanks,

I've managed to turn off register_globals locally now...

//Swebajen