Dynamic security

Question

Dynamic security

Is there a way to safely include pages without putting them in an array?

if (preg_match ('/ ^ [a-z0-9] + /', $ _GET ['page'])) {

$ page = $ _GET ['page']. ". php";
$ tpl = $ _GET ['page']. ". html";
if (file_exists ($ page)) include ($ page);
if (file_exists ($ tpl)) include ($ tpl);

}

What should I add to make this pretty safe?

I do it this way because I do not like to include material that should be included on all pages. "Include header> content> include footer" -way. I also do not want to use any template mechanisms / frameworks.

Thanks.

+3

security php

Dunderklumpen Feb 08 '09 at 12:58

source share

4 answers

Gumbo · Answer 1 · 2009-02-08T01:37:46+0000

, ...

, "images/../../secret" ,
, "index" .

, , , (, "includes" "templates" ). , , .

if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
    $page = realpath('includes/'.$_GET['page'].'.php');
    $tpl = realpath('templates/'.$_GET['page'].'.html');
    if ($page && $tpl) {
        include $page;
        include $tpl;
    } else {
        // log error!
    }
} else {
    // log error!
}

: realpath , , false . file_exists .

UnkwnTech · Answer 2 · 2009-02-08T01:48:53+0000

, , , , , , -db-.

$availFiles = array('index.php', 'forum.php');
if(in_array($_GET['page'].".php", $availFiles))
 {
   //Good
 }
else
 {
   //Not Good
 }

, , , .

Syntax · Answer 3 · 2009-02-08T11:15:47+0000

. - , . -, .

, , , include.

Bretticus · Answer 4 · 2009-02-08T02:12:06+0000

I agree with Unkwntech. This is such an unsafe way to include files on your site, I want PHP programmers to do this completely. However, an array with all possible matches is certainly safer. However, you will find that the MVC pattern works better and is more secure. I downloaded the code igniter and take a tutorial or two, you will like it for the same reason you want to use the dynamics.

Dynamic security

More articles: