[thelist] url specific session problem

Simon Willison cs1spw at bath.ac.uk
Wed Sep 17 10:38:44 CDT 2003

elin tjerngren. artopod wrote:
> I have a weird PHP session problem.
> The links look something like this:
> index.php?page=intrview/archive.php

This is unrelated to your problem, but does that URL mean that somewhere 
in your script you're doing this?


If so, you've got a HUGE security problem. What happens if someone 
manually enters a URL like this for example:


Or even worse, if the fopen url wrappers option is set in your PHP 
config file they could even do this:


Where inject-som-php-code.txt is a file that looks like this:

// nasty PHP code that will be executed on your server

A golden rule of writing secure PHP is NEVER include() or require() a 
file that has been passed as a query string argument. Instead, do 
soemthing like this:

$allowed = array(
   // ... etc

if (in_array($_GET['page'], $allowed)) {
} else {
     die('Invalid page');

That's more secure, but it's still revealing your site's implementation 
details in the URL. The best URLs consist only of logical information, 
with no clues as to the technology that powers a site. For example@:


If you're running Apache, the easiest way to achieve this kind of URL is 
using mod_rewrite, which is way too big a topic to cover here.


Simon Willison
http://simon.incutio.com/ <-- nice URLs ;)

More information about the thelist mailing list