PHP script help

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I do not know anything about PHP but thrown into this mix. I was told
by my ISP that there is vulnerability  in following code to allow
spammer load an offsite php script for mailing. The defective code is:

if (isset($HTTP_GET_VARS['sport']))
$sport = $HTTP_GET_VARS['sport'];
require ($sport.".php");

how od i fix it?  

If i am in wrong group please forgive me.


Re: PHP script help

My guess is that all a scammer would need to do would be to pass a
script in the url that would point to something on another server

So for example say your site is and the name of this script
is mailscript.php

I could navigate to your site as

Your script would thent ake that whole string
"" append.php and include it. (the .s and /
would need to be converted to % notation first but same idea).

Fixing it would require you to submit the variable in post, although im
not too sure if thats 100%.

SA SA wrote:
Quoted text here. Click to load it

Re: PHP script help

SA SA wrote:

Quoted text here. Click to load it

PHP security rule number 1: Never ever trust anything that comes from the

In this case, the 'sport' GET variable can be crafted to inject code (other
posts in this thread indicate how).

There are several techniques to avoid this. One is to make sure that the
file you are about to include() (or require(), for that matter) is a local
file. See the PHP manual for functions on that issue.

Other technique, my favourite, is to manually check the possible values of
the received variable. It goes something like this:

if (isset($_GET['sport']))
        $sport = $_['sport'];

        if ($sport == 'football')
                require ('football.php');
        elseif ($sport == 'tennis')
                require ('tennis.php');
        elseif ($sport == 'skydiving')
                require ('skydiving.php');
                trigger_error(E_USER_ERROR,'Wrong sport, dude!");
                die();  // Just in case trigger_error() doesn't stop execution

In any case, in any PHP app, if the user enters a "strange" value, or an
invalid value for a variable, the safest way to go is to throw an error and
abort execution.

Check that entered numbers are really numbers (or cast 'em to an int type
variable), that strings in a possible set of values are really in that set
of values, and that arbitrary strings to be inserted into a database are
escaped properly.

Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Mmmmmmmmmmmmmmmmmmmmm.....cuannnnntttasssss emesssssss.

Re: PHP script help

Quoted text here. Click to load it

$allowable_sports= array("football", "rugby", "tennis");

 if (isset($HTTP_GET_VARS['sport']) &&  in_array($HTTP_GET_VARS['sport'],  
$allowable_sports) )
{     require ($sport.".php");    }
{ require ("no_sport_just_sofa.php"); }

Re: PHP script help

I will give it a try. Basically, we have a link for each sport that
passes the variable to sports.php based on the sport the sports.php
displays news releases.


P Pulkkinen wrote:
Quoted text here. Click to load it

Re: PHP script help

SA SA wrote:

Quoted text here. Click to load it

I would use a drop-down where the value passed is
football value= s1,
tennis value = s2,

look at the CASE funtionality.

then in my php script associate s1 to INCLUDE vfootball.php such that the  
enduser cannot guess your file structures etc... the more they know about your  
structures, the more likely it will be that they will find a vulnerability.  And  
the vfootball.php should be outside the web directories but readable, and not  
writeable by the web server owner.

Michael Austin
Database Consultant
Domain Registration and Linux/Windows Web Hosting Reseller

Re: PHP script help

SA SA wrote:

Quoted text here. Click to load it

There are 2 very odd things about this:

1) that you have an ISP who is willing to take the time to read your code
(interesting, and a big plus)

2) that your host is not configured to prevent this (a bit worrying,
depending on the reason for 1).

To exploit this, someone just has to enter a URL like:

to get there code into your ISPs webserver.

Quoted text here. Click to load it

Do a lot of checking on $_GET['sport'] or restrict it to a specific list of


Re: PHP script help

Sorry to be an ignorant but should not "P Pulkkinen" 's solution work?
Please advise if am overlooking something.

Hosting company i am using hosts should plug the hole but if the code
itself is buggy then i don't blame them.


$allowable_sports= array("football", "rugby", "tennis");

 if (isset($HTTP_GET_VARS['sport']) &&
$allowable_sports) )
{     require ($sport.".php");    }
{ require ("error.php"); }


Colin McKinnon wrote:
Quoted text here. Click to load it

Site Timeline