1

I have hunted around, but have not found an answer specific to what I am trying to do. I currently run Wordpress on my personal web server, but I am looking to move away from it. I am writing my own semi-CMS system. I have a of it already done, and am starting to do the Blog section. I have a bare-bones pages template that I use when creating a blog entry saved in a /blog_files directory. These pages just include a <section> area with formated text. From there, I have a PHP script that grabs the 5 most recent PHP files and include them into the Index.php page. This works perfectly and seems super fast.

My question/problem is that i am looking for a secure way to have visitors be able to click on the blog heading and take them to a dedicated page for that blog. I have an empty page.php page that includes header, menu, and footer, and would like to include the blog_page/file.php inside of that page. I want to do this dynamically, but also securely. I have thought about using sessions or GET/POST, but not sure which would be the best for performance ans security.

I came across this page which includes the following:

    <?php
    session_start();
    $_SESSION['regName'] = $regValue;
    ?>

    <form method="get" action="get_reg.php">
        <input type="text" name="regName" value="">
        <input type="submit">
    </form>

I thought of using this, and just passing the include page though this variable, but this is code is from 6 years ago, and I am not sure if this is still the preferred way to handle this. I am running Centos 7 with Apache 2.4 and latest PHP.

Any help would be appreciated.

Community
  • 1
  • 1
Livewire18
  • 31
  • 4
  • What security concern are you addressing? If users are allowed to see the hosting page, and allowed to see the content page, then what are you trying to prevent users from doing? – David Jun 11 '15 at 12:32
  • There are some areas of the site that I do not want anyone getting into directly, so my main concern was any type of link injection or sudo-proxy type of scenario where someone could manually enter a page into the include path. – Livewire18 Jun 11 '15 at 13:36
  • Ah, that makes sense then. Unfortunately I don't have specifics for an actual answer. As a tip I also recommend making sure the included files themselves are secured. It's definitely critical not to allow users to inject their own values into an include path, and for your scenario it's also important not to let users request those files directly. Keeping the included files out of the public web directory structure usually accomplishes that much, since then only server-side code can even find them. – David Jun 11 '15 at 14:10
  • Absolutely agree. The include files are actually one level below the root directory of the html (i.e outside of the public HTML files). They are also excluded via robot scans and blocked from direct access via .htaccess. My biggest concern is making sure someone doesn't try something like www.example.com/vulnerable.php?badsite=C:\\ftp\\upload\\exploit. Is there any way to perform a check on the variable .PHP file to ensure it exists in ../included_file_path before trying open the path with it included? – Livewire18 Jun 11 '15 at 14:16

1 Answers1

0

Well, after quite a bit of digging, reading, combining, editing, re-editing, and re-re-editing (lol) I think I have found my solution.

This is what I ended up with.

This is the blog page which shows the 5 most recent blog files in the blog_files directory. It then creates creates a link with the header information which passes the filename to the blog_single page.

    <?php
        $blogs = array(); // create blog file array
        // gathers all files in blog_file folder matching *.php
        foreach (glob("blog_files/*.php", GLOB_BRACE) as $filename) {
            $blogs[$filename] = filemtime($filename);           }
        arsort($blogs);
        // return only the newest 5 files
        $newest = array_slice($blogs, 0, 5);

        // for each of the newest 5, gather meta tag info from page
        foreach($newest AS $blog => $value) {
        $tags = get_meta_tags($blog);           
        $title=$tags['title'];
        $authur=$tags['author'];

            // if page title is not empty proceed
            if (!empty($title)) {
            // strip folder and .PHP from file name or security and to use as title
            $page = basename($blog, ".php").PHP_EOL;                    
            // echo $title and link to blog_single while passing variable
            echo("<h3><a href=blog_single.php?page=$page>$title</a></h3>");
                }
        // include blog entry in page below title link
        include $blog;

        }

    ?>

From there, the blog_single page gets the file name and then include that into the page. 

    <?php 
        // reconstruct include file path
        $page = "blog_files/" . $_GET["page"] . ".php";
        // I will be adding additional code to verify PHP file exists only in includes directory

        // get meta-tag information from page
        $tags = get_meta_tags($page);           
            $title=$tags['title'];
            if (!empty($title)) {
                $headline=$title ;
                }   
    ?>
    <section>
        // include blog entry in the blog_single.php page
        <?php include($page) ;?>
    </section>

I hope this helps someone in the future, and if you notice anything I should have done, please feel free to post your suggestions or comments.

Livewire18
  • 31
  • 4