Wednesday, 15 May 2013

php - My whitelisting for secure navigiation is not working -



php - My whitelisting for secure navigiation is not working -

im doing administrative panel, , im trying secure query string navigation admin folder.

first in login form page, if user login sucess store session $result admin information.

$result = $readuser->fetch(pdo::fetch_assoc); $_session['result'] = $result;

and have admin dashboard.php file want have query string navigation.

first, see if session exist:

ob_start(); session_start(); if(!$_session['result']) { header('location: index.php?restricted=true'); }

then have query string:

echo '<div id="panel">'; if(empty($_get['exe'])){ require('home.php'); } elseif(file_exists($_get['exe'].'.php')){ require($_get['exe'].'.php'); } else{ require('404.php'); } echo '</div><!-- /panel -->';

and query string working fine, want add together more security, , read whitelisting purpose.

and im trying query string this:

im code below:

$whitelist = array('sis/home', 'sis/404', 'posts/index', 'posts/edit', 'categories/index', 'categories/edit', 'dashboard', 'inc/header.php','inc/footer.php'); if(empty($_get['exe'])){ require('sis/home.php'); } elseif(in_array($_get['exe'].'.php', $whitelist)){ require($_get['exe'].'.php'); } else{ require('sis/404.php'); }

but when seek acess url:

http://localhost/adminpanel/admin/dashboard.php?exe=posts/index:

i 404.php file. , happening navigation.

i'm getting success home page:

http://localhost/adminpanel/admin/dashboard.php

my project folder organization this:

1 main folder "adminpanel", within have:

1 index.php file have login form 1 dashobard.php file im doing query string 1 folder "admin", within admin folder have: 1 folder posts, within have 1 index.php file , 1 edit.php file 1 folder includes, within have 1 footer.php file , 1 header.php file 1 folder inc, within have 1 404.php file , 1 home.php file

do see i'm doing wrong?

like @shai commented concatanating '.php' cause in_array() homecoming false. either remove concat or add together '.php' every item in array. first alternative improve performance.

in add-on might want url encode parameters.

http://localhost/adminpanel/admin/dashboard.php?exe=posts/index

to

http://localhost/adminpanel/admin/dashboard.php?exe=posts%2findex

last not to the lowest degree might want check if file exist before require it.

php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)