No require, no include, no url rewriting, yet the script is executed without being in the url

Question

I am trying to trace the flow of execution in some legacy code. We have a report being accessed with

http://site.com/?nq=showreport&action=view

This is the puzzle:

• in index.php there is no $_GET['nq'] or $_GET['action'] (and no $_REQUEST either),
• index.php, or any sources it includes, do not include showreport.php,
• in .htaccess there is no url-rewriting

yet, showreport.php gets executed.

I have access to cPanel (but no apache config file) on the server and this is live code I cannot take any liberty with.

What could be making this happen? Where should I look?

Update
Funny thing - sent the client a link to this question in a status update to keep him in the loop; minutes latter all access was revoked and client informed me that the project is cancelled. I believe I have taken enough care not to leave any traces to where the code actually is ...

I am relieved this has been taken off me now, but I am also itching to know what it was!

Thank you everybody for your time and help.

Answer 1

There are "a hundreds" ways to parse a URL - in various layers (system, httpd server, CGI script). So it's not possible to answer your question specifically with the information you have got provided.

You leave a quite distinct hint "legacy code". I assume what you mean is, you don't want to fully read the code, understand it even that much to locate the piece of the application in question that is parsing that parameter.

It would be good however if you leave some hints "how legacy" that code is: Age, PHP version targeted etc. This can help.

It was not always that $_GET was used to access these values (same is true for $_REQUEST, they are cousins).

Let's take a look in the PHP 3 manual ^Mirror:

HTTP_GET_VARS

An associative array of variables passed to the current script via the HTTP GET method.

Is the script making use of this array probably? That's just a guess, this was a valid method to access these parameter for quite some time.

Anyway, this must not be what you search for. There was this often misunderstood and mis-used (literally abused) feature called register globals ^{PHP Manual} in PHP. So you might just be searching for $nq.

Next to that, there's always the request uri and apache / environment / cgi variables. See the link to the PHP 3 manual above it lists many of those. Compare this with the current manual to get a broad understanding.

In any case, you might have grep or a multi file search available (Eclipse has a nice build in one if you need to inspect legacy code inside some IDE).

So in the end of the day you might just look for a string like nq, 'nq', "nq" or $nq. Then check what this search brings up. String based search is a good entry into a codebase you don't know at all.