Infinite Loop

Bradster · May 30th, 2007, 03:44 PM

I recently got a formal warning by my web hosting provider for having bad code and crashing one of thier shared servers :S.

This is why;

Code:

    <?php
    $url = '';
    if (!empty($_GET['category'])) {
        $url .= $_GET['category'] . '/';
    }
    if (!empty($_GET['home'])) {
        $url .= $_GET['home'] . '.php';
    }
    include $url;
    ?>

Anybody know how you actually create a dynamic php include?

grahame · May 31st, 2007, 01:56 AM

That is not (inless you refer it to itself) an infinite loop ... and in any case, there's a timeout on such things in PHP so they should not crash the server. It IS a script that is open to injection attacks as malicious site visitors could fillin your "category" box with something starting "http://" or "/" and pick up code from other accounts on the same shared server, or other servers.

You should add code to check your "category" and "home" inputs to ensure that they only contain letters or digits, or validate them against a fixed list of whats's allowed, or something like that.

To get you started
if (! eregi('[a-z0-9]]+$',$_GET['category'])) { .....
will check if the category input is just letters and digits

Bradster · May 31st, 2007, 04:18 AM

Thanks for that Grahame,
Yeah I relised that that piece of code wasnt the one that crashed it.

I have another problem, the links now work fine except that I get an error when you open up the index.php file itself, and you must click on a link to not get an error, I cant set the inital page.