I used to use crazedmind.net
Might just use crazed.net unless someone can help me come up with something flashier.
It's just gonna be a personal site. Might temporarily host my College Republican site there, if we use what I made and all.
Anyhow, thoughts?
If you have any intention of using it professionally, I don't think I'd use crazedmind, haha. Not sure, though... perhaps I'm reading too much into that.
I went w/ dailycrazed.net
thnx Joe
& thnx Wires for the hella amounts of help/instruction/suggestion
& thnx Sidoh for the help thus far
Tyler Benting has a bad looking website.
Quote from: Blaze on June 01, 2007, 05:36:04 PM
Tyler Benting has a bad looking website.
hey, pssht, I'm workin on it....
It's at kind of a weird path:
/home/.reik/craz3d/dailycrazed.net/index.php
I've never seen a user folder that starts with a "." before.
Either way, look up what a "remote file include" vulnerability is. Basically, make sure that a user can't control a variable that's going into an include() or require(). It seems that you're vulnerable to that (poke (http://www.dailycrazed.net/index.php?content=testtesttest)). It's not that big of a deal right now, but it'll be more annoying to change it later. :P
Fortunately, I get blocked if I try including something remote, but this could still be a potential vulnerability so watch out.
How's that a vulnerability?...testtesttest doesnt exist on my site so how would someone make that and exploit me?
You can generally include files on other, remote sites. Something blocks that, but it's still dangerous.
If anybody else has a site on the same server, they could inject stuff into your code.
If you, or anybody else on that server enables file uploads, it could be risky.
If there's a .inc file in another script that could be dangerous, it could be risky.
If somebody can find a way to include a file that doesn't end with .inc, it could be risky.
Generally, but not always, that kind of things leads to a Remote File Include. It's good practice just to not do it. It's not a bad thing that you have it, since I know you're new to PHP, but that's not the proper way to include files.
How ought I to include them, then?
I'm not a real web developer, but I generally use a script:
switch($page)
{
case "home"
require('pages/home.inc');
break;
case ...
...
}
I don't know if that's the best way to do it, though, Sidoh might be able to weigh in with a better answer.
and that's better because it does just use the include("page.inc")?...
Quote from: CrAz3D on June 01, 2007, 07:31:39 PM
and that's better because it does just use the include("page.inc")?...
If you don't do what iago is suggesting (and a few other people suggested earlier), you leave yourself open to all of the things iago mentioned. People can do something like "?content=../../../.otheruser/public_html/myscript.php" which can do all sorts of nasty things. They could spit out contents of variables that store mysql authentication information, for example.
I normally do what iago has suggested. I have a switch statement with the supported cases (eg home, gallery, calendar, etc) and then ignore (or produce an error message) for anything that doesn't have a case.
shoulda just done tylerbenting.com or something
I prefer just to filter out ".."s so they're limited to what in the folder, or in other folders above. Any disadvantage to that?
Filters are notoriously bypassable. It's better to just not get into the situation in the first place.