Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.lang.php > #8

Re: Getting the string from url after backslash (address\datastring)

Show all headers | View raw

On Thursday, May 28, 2015 at 6:27:16 PM UTC-6, Denis McMahon wrote:
> On Thu, 28 May 2015 23:23:09 +0100, JiiPee wrote:
> 
> > ok, doing it now like: http://164.33.123.22/mysite,php?filename1 so the
> > original is not needed anymore. But would be still interesting to know
> > if that was possible
> > 
> > On 22/05/2015 18:26, JiiPee wrote:
> >> I use php (and html, not sure to which this question should be directed
> >> to) and I have a static address, like:
> >>
> >> http://164.33.123.22/mysite
> >>
> >> But my real task is to open a file , like:
> >> http://164.33.123.22/mysite/filename1 and show its content on a web
> >> page. So if somebody types: http://164.33.123.22/mysite/filename1 I
> >> will show the content of the file "filename1"
> >>
> >> I know how to do it if its like:
> >> http://164.33.123.22/mysite,php?filename1 But thats not the format
> >> here.
> >>
> >> How do I do this? Not sure if this is really php-question as the mysite
> >> does not even have php-ending. But if somebody could direct me where to
> >> find the answer I would be gratefull. thanks.
> 
> You need to make sure all requests to your website go to a single PHP 
> file. This is probably something in the webserver configuration. In apache 
> if mod_alias is available you might use an aliasmatch directive:
> 
> AliasMatch ^/mysite/(.*) /mysite/main.php
> 
> Then in eg /mysite/main.php you would use one of the $_SERVER variables 
> to get the request string. Probably $_SERVER['REQUEST_URI']
> 
> Finally you need to process the request string to extract the filename 
> you want to use.
> 
> Then you need to open the file and execute it. You can use include for 
> this.
> 
> Finally, be very careful about assuming anything. If you are not careful 
> you can easily enable a remote execution of php attack on your server 
> because someone sends a request like:
> 
> http://164.33.123.22/mysite/http://nasty.ip.address/path/to/nasty/file
> 
> If you assume that everything after /mysite/ is a php file to run, and 
> your server is configured to execute remote code, it will run nasty file 
> code on your server, and nasty file can do anything your code is 
> authorised to do, like delete files, drop tables from databases, send 
> emails to the whole planet pretending to be you etc.
> 
> It is much safer to create a lookup table of keyword => file (you can do 
> this with an array) and use that to get the filename.
> 
> If a keyword doesn't exist, treat it as an error and send an email to 
> whoever maintains the site.
> 
> This is a very simple example:
> 
> <?php
> $bits = explode("/", trim($_SERVER['REQUEST_URI']));
> 
> if (count($bits > 2) $index = $bits[2];
> 
> $phppath = "/path/to/bingfiles/";
> 
> $lookup = array(
>   'jim' => $phppath.'jim.php',
>   'fred' => $phppath.'fred.php'
> );
> 
> if (count($bits) > 2 && isset($lookup[$index])) {
>   include $lookup[$index];
> }
> else {
>   if (count($bits) > 2) {
>     // invalid url was used
>   }
>   // create default page here
> }
> 
> 
> -- 
> Denis McMahon

Thank you for this! I did this a long time ago but forgot how to do it.

Back to alt.comp.lang.php | Previous | Next | Find similar

Thread

Re: Getting the string from url after backslash (address\datastring) x@mynetblog.com - 2017-03-01 09:33 -0800

csiph-web