| Re: Good code or bad code? [message #170191 is a reply to message #170189] |
Sun, 17 October 2010 13:37   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 10/17/2010 9:12 AM, MikeB wrote:
> Jerry Stuckle wrote:
>> On 10/17/2010 12:20 AM, MikeB wrote:
>>> I'm mostly playing with PHP to get a feeling for coding in it.
>>>
>>> So as part of all this URI/URL/redirect stuff I spent some time looking
>>> at the contents of $_SERVER and I came up with this code to find the
>>> filename of the file I'm invoked from. Now one condition that I wanted
>>> to cater for was if the filename had multiple "."s in the name, for
>>> instance myfile.inc.php, or something like this.
>>>
>>> So I came up with this piece of code.
>>>
>>> $uriParts = explode("/",$_SERVER['REQUEST_URI']);
>>> $thisFile = substr(end($uriParts),0,(strlen(end($uriParts))) -
>>> (strlen(end($uriParts))- strrpos(end($uriParts),'.')));
>>>
>>> So I was wondering if that is good code or if I could have written it
>>> better, since looking at it it is quite hard to understand.
>>>
>>> Thanks
>>> MikeB
>>>
>>> I'll go away again for a while after this, I probably have been relying
>>> on all y'alls good graces too much again.
>>
>> In addition to what Hammish said, this information is sent by the
>> browser and cannot be trusted. Some browsers may not send it, and if it
>> is sent, it may be falsified (i.e. by a hacker).
>>
>
> I said I would shut up for a while, but now you bring up something else.
>
> I wrote that code to find the fiilename (eg. index) so that I could
> dynamically derive the name of an accompanying template file.
>
> So if I'm running from index.php, I could derive index.tpl for a Smarty
> template to accompany the php file.
>
> If a hacker falsifies this, the template won't match the php file
> creating the output and the page (s)he sees will be all messed up.
>
> so that brings up two questions:
>
> 1. Is there a better way to dynamically derive a base filename? Eg. Is
> there a php function that I can use to get the name of the executing
> file? That may be better/safer then.
>
> 2. Is the risk of this being hacked sufficient that I should rather
> statically code the template filename and then go through the hassle of
> recoding the name every time I change (or move) the base file around?
>
> I'm not sure that there is an risk to a website if the Smarty template
> gets messed up, but I can see that there might be other uses that could
> me more risky, so I'll certainly bear that in mind.
I think we have a confusion of terminology here. The script is "invoked
from " another page, typically by an anchor tag link - although there
are other ways (i.e. flash, javascript, etc.).
The current script being run can be executed in a number of ways; it may
be called directly or it may be included by other scripts, for instance.
But the REQUEST_URI is not a reliable indicator - it does show the page
requested from the server, but the web server's configuration may
significantly change this. For instance, in some CMS's, all requests
are handled by a single script, but each page has it's own URI. The
Apache mod_rewrite changes the request to invoke the single script with
specific parameters.
So in this case it can be correct - but only if you also know the web
server's configuration. And a change to that configuration can cause
problems.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]