Hi there guys,

I'm having somewhat of an issue with some PHP that I (personally) can see no fault with, definatly not to the stage of crashing a server!!

It crashes 25% of the time when this piece of code is executed:

<?
include('db.php');

$id=$_POST['id'];
$order=$_POST['order'];
$original=$_POST['original'];
$var=$_POST['var'];


$equipment_model_id=$_POST['equipment_model_id'];
$serialnumber=$_POST['serialnumber'];
$location_id=$_POST['location_id'];
$computer_name=$_POST['computer_name'];
$network_connect=$_POST['network_connect'];
$licencekey=$_POST['licencekey'];
$comments=$_POST['comments'];



$serialnumber = strtoupper($serialnumber);
$computer_name = strtoupper($computer_name);
$licencekey = strtoupper($licencekey);
$network_connect = strtoupper($licencekey);

$network_connect = ucwords($network_connect);
$comments = addslashes($comments);




$query = "SELECT * FROM locations WHERE location_id = '$location_id' LIMIT 1";
$result = mysql_query($query);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{

$location = ($row['location']);
$block = ($row['block']);

}





$query = ("UPDATE equipment SET equipment_model_id = '$equipment_model_id', serialnumber = '$serialnumber', location = '$location',
block = '$block', computer_name = '$computer_name', network_connect = '$network_connect', comments = '$comments', licencekey = '$licencekey'
WHERE equipment_id = '$id' LIMIT 1");

mysql_query($query)or die(mysql_error());



mysql_close();

$msg = "<font color=red> - The Equipment Has Been Updated</font>";
include $original;

?>

When the code does work it works perfectly and as fast as it should, but when it doesn't thats when the server crashes.

This code has been working fine for the best part of a year, but recently when I decided to carry over a variable which is the original PHP page name (formated something like view_locations.php) it would timeout and my boss had to restart IIS.

The only thing that has changed is, $original=$_POST['original']; at the start of the code, and obviously include $original; at the bottom.

(incidently, I have also tried include($original), include('$original'), and also request($original), request('$original'), and request $original); too with no luck.

Does any have any idea whatsoever what's going on??

Nick

Including a file from a POST variable is a bad idea. What if someone POSTs the path of a system file, or other files outside of the web directory in the $original variable?

You will also need to paste the contents of the file you're including.

That code is also vulnerable to SQL injection.

You should really sanitize your input. At a minimum you should do something like this:


foreach($_POST as $index => $value) {
$_POST[$index] = mysql_real_escape_string(stripslashes(strip_tags($value)));
}


As the previous poster stated, you should never send user input to include().

Depending on how your server is configured this script is vulnerable to: SQL injection, XSS, and unauthorized file access.

Hi there,

I understand what you are saying - but these details aren't user defined.

$completed originates from a PHP generated string:

<input type="hidden" value="<? echo substr($_SERVER['PHP_SELF'], 11); ?>" name="original">

Does that seem ok?

Can anyone see any errors with the coding that would make the server crash?

Nick

It's not ok since someone can save the html file and edit the value. (one of the many ways to do it)

You should paste the php file that "include $original;" is fetching so we can see what's going on there. If it's not a php file, then that's why you are crashing. Use readfile() instead.

I guess if u're obliged to do like this, then in the script that receives the POST information make an array like

$filesArray=array(0=>'test.php', 1=>'test2.php',...)


then in the input just put the value as number

<input type="hidden" value="1" name="original">


this way the user can't do anything harmful for the include...

Is there a possibility a file is including itself or a 'parent' file?

Say you're dynamically including page1.php in page2.php, and page2.php includes page1.php. It would create a never ending loop of included files..

I don't know whether or not this is even allowed, or if it will crash a server.

Is there a possibility a file is including itself or a 'parent' file?

Say you're dynamically including page1.php in page2.php, and page2.php includes page1.php. It would create a never ending loop of included files..

I don't know whether or not this is even allowed, or if it will crash a server.

That very well may be the issue, and yes it could cause some problems with the server and possibly crash it (After all he did say it was a windows server).