5 {{ upvoteCount | shortNum }}
5 {{ upvoteCount | shortNum }}

Care to help me find a way to break into my own code? (security hardening)

by carlos123
4 replies
I was wondering if anyone would care to help me break into the code below. I want to harden up this code against hackers and need some input on how to break into my site through it.

You won't be able to run the actual code without my PHP object classes so I am interested in a theoretical break in and not in live testing.

I won't hold anyone responsible for the consequences of breaking into my own code. The code below is not at my site at present (it's not even close).

I am trying to ultra-simplify my code while not sacrificing it's secureness.

Code:
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
   require $_SERVER['DOCUMENT_ROOT']."/autoload.php";

   $global = new globals();
   $page = new webPage();

   $category = $_GET['category'];

   $page->setNavigation($global->getNavigationFor($category));
    $page->setCopyright($global->getCopyright());

   $fileName = $category.$_GET['page'].".txt";
   if (file_exists($fileName))
      $page->show($fileName);
   else
      $page->show($page->getDefaultErrorPage());
}
The above code would go into my index.php file. Regular expressions inside an .htaccess file make sure that the category and page variables only contain letters. digits, and minus signs before being passed through to the index.php file above.

Thanks.

Carlos
#break #care #code #find
  • Profile picture of the author Tim Brownlaw
    One thing of note... you want to check that your ['category'] ['page'] fields exist and are what you are expecting.

    Trust Nothing that a user can enter...

    It's very good practice to check any Get or Post values actually exist.

    The reason being - you are expecting them to be there and if they aint, somethings amiss.

    You could simply call a regular expression function to check if they are empty or use illegal characters.

    The question is... What do you want your code to do if those GET vars are empty, not present or contain some mad scientists formula for cleaning mud...

    Cheers
    Tim
    {{ DiscussionBoard.errors[1247236].message }}
    • Profile picture of the author carlos123
      Tim...thanks for your input. I had a response I wanted to give you but I am going to give up on this thread.

      The forum software here tries to run my PHP code every time I try to post it and rightly reports that there is an error in my incomplete PHP code. It's too much hassle to try and work with this forum software as such...I'll go elsewhere to get input on my PHP code.

      Thanks.

      Carlos
      {{ DiscussionBoard.errors[1247326].message }}
      • Profile picture of the author Tim Brownlaw
        Yeah I had the same problem.

        Even in the PHP Tags things broke and the forum script had major kittens.

        You can PM me and we can arrange a yak in my conference room sometime if you'd like

        Cheers
        Tim
        {{ DiscussionBoard.errors[1247418].message }}
        • Profile picture of the author carlos123
          Thanks Tim.

          That's very gracious of you. What is a conference room by the way? Is that a capability of this forum that I have not been aware of?

          I will PM you later Tim. Maybe tomorrow. I am in the middle of working on finishing up some client PHP code by tomorrow.

          Carlos
          {{ DiscussionBoard.errors[1247422].message }}

Trending Topics