Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    CBG
    CBG is offline
    New Coder
    Join Date
    Feb 2010
    Location
    UK
    Posts
    91
    Thanks
    26
    Thanked 0 Times in 0 Posts

    Allow more than one page to be viewed

    Hi,

    I have the below bit of code that is working fine, however I would like to change it, to allow more files to be viewed, like it does with /offline.php

    This bit
    if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {

    I would like to allow /offline.php and /admin/offline.php and /admin/offlinemodify.php

    How would I do this?

  • #2
    New Coder
    Join Date
    Mar 2008
    Posts
    35
    Thanks
    0
    Thanked 4 Times in 4 Posts
    PHP Code:
    if(in_array($_SERVER['PHP_SELF'], array('/offline.php''/admin/offline.php''/admin/offlinemodify.php'))) 

  • #3
    CBG
    CBG is offline
    New Coder
    Join Date
    Feb 2010
    Location
    UK
    Posts
    91
    Thanks
    26
    Thanked 0 Times in 0 Posts
    That doesn't work for me.

    Here is the full bit of current code and what each line does

    PHP Code:
    if ($offline['status'] == 'offline') {
        if (
    strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0) {
            if (
    $offline['iporlogin'] == 'IP') {
                
    $ip $_SERVER['REMOTE_ADDR'];
                if (
    $ip == $offline['ip1'] || $ip == $offline['ip2']) {
                } else {
                    if ( 
    $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
                }
            } else {
                
    $username $_SESSION['UserName'];
                if (
    $username == $offline['username']) {
                } else {
                    if ( 
    $offline['status'] == 'offline' ) { header ('location: /offline.php'); }
                }
            }
        }

    Line 1: Check to see if it is in Offline Mode

    Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files)

    Line 3-8: If offline is in IP Mode check IP

    Line 9: Else if not in IP mode but is offline do Login code

    Line 10-14: Login Mode check for user/pass access

    Line 15-17: Closing Tags

  • #4
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Code:
    $pages = array(
        '/offline.php',
        '/online.php',
    );
    
    if (in_array($_SERVER['PHP_SELF'], $pages))

  • Users who have thanked MattF for this post:

    CBG (03-18-2010)

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    The in_array is correct, its the result thats incorrect. strcmp returns 0 and only 0 on success, not failure.
    PHP Code:
    if (!in_array($_SERVER['PHP_SELF'], $pages)) // Or embedded array, I'd use the variable like MattF has
    {
    ..... 
    So the important part is the ! for the in_array, since the strcmp is only true on failure (where false === 0 and true != false in PHP). This will match the behaviour you currently have.

    The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF'] (you may want to consider changing that btw, PHP_SELF is XSS exploitable), but the explaination you gave for this step is Line 2: Allow access to /offline.php (this is the bit I want to change to allow more files). Which is it supposed to be?
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    CBG (03-18-2010)

  • #6
    CBG
    CBG is offline
    New Coder
    Join Date
    Feb 2010
    Location
    UK
    Posts
    91
    Thanks
    26
    Thanked 0 Times in 0 Posts
    First thank you for all your help, it now seems to be working as I want it

    Quote Originally Posted by Fou-Lu View Post
    The problem here is the OP has a conflict in the code versus the definition of the code. The code specifies if (strcmp($_SERVER['PHP_SELF'],"/offline.php") != 0), which is so long as /offline.php is NOT $_SERVER['PHP_SELF']
    I was given that code on a forum after asking how to only allow everyone access to offline.php but not anywhere else, unless the IP matched.

    Quote Originally Posted by Fou-Lu View Post
    you may want to consider changing that btw, PHP_SELF is XSS exploitable
    What do you recommend I change it to?

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
    If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    CBG (03-18-2010)

  • #8
    CBG
    CBG is offline
    New Coder
    Join Date
    Feb 2010
    Location
    UK
    Posts
    91
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    Try under $_SERVER['REQUEST_URI']. Test that on a couple nested directories as well, I think that will work as you want it to (but check, specifically for the /admin/offline.php you were asking about).
    If not, also try under $_SERVER['SCRIPT_NAME'], that one I expect will need modifications though.
    I tried $_SERVER['REQUEST_URI'] but that didn't work.
    So I tried $_SERVER['SCRIPT_NAME'] which did work

    One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by CBG View Post
    I tried $_SERVER['REQUEST_URI'] but that didn't work.
    So I tried $_SERVER['SCRIPT_NAME'] which did work

    One more question does $_SERVER['SCRIPT_NAME'] run ok under on Windows servers?
    Yes, but. $_SERVER is never guarenteed to exist, its up to the environment to create these. Apache, IIS and CLI so far I've been able to retrieve REQUEST_URI and SCRIPT_NAME on. Generally, I use SCRIPT_NAME, but offhand I cannot recall what pathing it takes (absolute from filesystem root, or absolute from webroot; I was pretty sure it was filesystem root, but if it works in you're code here, thats likely from document root).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •