I was using this piece of php code for a site. Now its old and I recently had a few attacks. Script was used for to include another file from someplace else and send spam. Obviously this makes my script as spam sender.
for the content
$htm = ".htm";
$pid = "$details$htm";
function show_details($pid)
{
if (!preg_match("/http/", $pid)) {
require($pid);
} else {
die;
}
}
and for the title, desc , keywords etc..
$txt = ".txt";
$title = "$details$txt";
function show_title($title)
{
if (!preg_match("/http/", $title)) {
if (file_exists($title)) {
require($title);
} else {
die;
}
}
}
and a display.php file with
print '
<!-- CONTENT -->
';
show_details("$pid");
print '
by this code ı was able to call any content by "/display.php?details=mycontentpage"
mycontentpage.htm mycontentpage.txt
.............
Now this code has to be re-coded .. I can 开发者_如何转开发not change the construction as the site is just too big. So I guess I just have to stick to this..
Can anyone help ? Any comments ?
To make scripts like this more secure, you have to ensure register_globals is set to OFF. This means you'll have to add a line like:
php_flag register_globals off
...To .htaccess. Then, declare all your user variables the first time you use them like:
$details = $_GET['details']
...Which assigns the data from the URI piece "details" to the PHP variable $details.
I can very much see how your attackers were able to get in via your code and register_globals set to on -- they'd need to merely create a .htm file with PHP code in it that reassigns other variables, include it, then viola.
For more info, see: http://us2.php.net/manual/en/security.globals.php
Hope this helps!
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论