Basically, I want to create a site to show people how to prevent PHP vulnerabilities by simulating them. However, I can not get them to work myself.
I want to see if a variable equals a valid page (I only have two for testing) and, if it does, load that page. Otherwise, I see if it contains "../". If neither of those are true, it simply says "Page not found".
This is my code so far:
<?php
if($page=="LOLone.php" || $page=="LOLtwo.php"){
echo "Welcome, look at the LOL cats!";
include($page);
}else if(strlen(strstr($page,"../"))>0){
echo "Congrats, you found the transversal attack vulnerability!";
}else{
echo "Page not found!";
}
?>
Whenever I try to use page=LOLone.php
(or LOLtwo.php
or even ../
) it says "Page not found!" Can I not compare variables the way I am, or could this be my web-host playing it safe? I am a bit confused, but I am relatively new to PHP so I feel like I am missing something simple...
Ok, I made a simple mistake. A very big one too. Sorry. Thanks for all the replies, and I will be very careful about my own server getting hacked. In this example I should be clean though, because I have it include the page only if it equals a specified value. Thanks again.