How NOT to make an informer from an external site in PHP
Good day to all who read!
Just want to make a reservation, here I will talk about the obvious things for any experienced PHP-programmer. But lately I have been constantly stumbling at newbies at this error in one or another of its manifestations.
UPD : gentlemen, well, what a way to silently spit in karma! Is it really difficult to write what specifically does not like in the post?
A person makes his first (second, third) site. Calls the whole thing an information portal. Getting started is useful. And here the person decides to place on his site an informer from a third-party site. Many sites provide a special service for this purpose. For example, Gismeteo distributes html-code for insertion into its pages, many banks also give a code for an informer with exchange rates. But what if the site does not provide such a service?
There should be a reservation again. Let's skip the discussion about the legality of posting information from another site without permission. I do not welcome such actions, but if a person needs ...
So, our novice decides to insert in the right place to him a page with the desired URL. What I see in the source:
It's horrible. This is very, very bad. To those who do not understand how terrible it is:
And in conclusion, I will tell you how to do the insertion of third-party content, I would do it.
In PHP, there is support for such a nice tool like curl, which allows you to pull content from remote web servers, and with very flexible settings, almost allowing you to simulate the browser. Content is placed in a variable and then processed. You can process the content with regular expressions, you can parse the HTML using XPath or another parser. In any case, you need to get rid of all the excess and leave bare useful content: text, numbers, etc. Then this data is checked for validity and simply inserted into the page's native layout.
No design violation, no layout breakdown, no injection in PHP.
')
Ps. It is worth noting that my arguments and the demonstration of vulnerability did not have the desired effect on the budding colleague, the vulnerability was not fixed. A few days later the site was hacked using this vulnerability. Do not repeat mistakes, learn from others. Good luck!
Just want to make a reservation, here I will talk about the obvious things for any experienced PHP-programmer. But lately I have been constantly stumbling at newbies at this error in one or another of its manifestations.
UPD : gentlemen, well, what a way to silently spit in karma! Is it really difficult to write what specifically does not like in the post?
A person makes his first (second, third) site. Calls the whole thing an information portal. Getting started is useful. And here the person decides to place on his site an informer from a third-party site. Many sites provide a special service for this purpose. For example, Gismeteo distributes html-code for insertion into its pages, many banks also give a code for an informer with exchange rates. But what if the site does not provide such a service?
There should be a reservation again. Let's skip the discussion about the legality of posting information from another site without permission. I do not welcome such actions, but if a person needs ...
So, our novice decides to insert in the right place to him a page with the desired URL. What I see in the source:
...
include "http://...";
...
It's horrible. This is very, very bad. To those who do not understand how terrible it is:
- As a rule, if the remote site does not give a legal code for the informer, then in response we get a full-fledged HTML-page, with its own headers, in its encoding, etc. At least it will look awful, will not fit into the overall design of the site. And most likely it just breaks the page layout.
- The inslude command simply takes the text received from the URL request and inserts it into the current program location as a PHP source . This means that if from that side the admin of the site gives up a specially crafted page with a code in PHP, this code will be executed right there on your server. This is the most banal injection. In the eyes of the amazed beginner, I made a page that, with such a switch, reloaded its server. Here you can also say that on most hosts, the remote connection is disabled, and rightly so.
And in conclusion, I will tell you how to do the insertion of third-party content, I would do it.
In PHP, there is support for such a nice tool like curl, which allows you to pull content from remote web servers, and with very flexible settings, almost allowing you to simulate the browser. Content is placed in a variable and then processed. You can process the content with regular expressions, you can parse the HTML using XPath or another parser. In any case, you need to get rid of all the excess and leave bare useful content: text, numbers, etc. Then this data is checked for validity and simply inserted into the page's native layout.
No design violation, no layout breakdown, no injection in PHP.
')
Ps. It is worth noting that my arguments and the demonstration of vulnerability did not have the desired effect on the budding colleague, the vulnerability was not fixed. A few days later the site was hacked using this vulnerability. Do not repeat mistakes, learn from others. Good luck!
Source: https://habr.com/ru/post/65277/
All Articles