This is pretty darn safe right? Something I've missed?
$page = sprintf("%s/%s.php", "pages", $_GET['page']);
if (file_exists($page)) {
include $page;
}
else {
echo "The page '$page' does not exist =(";
}
(yes you can use it)
views:
75answers:
4
+4
A:
It's extremely unsafe since a user can arbitrarily load whatever page they feel like.
byte
2009-07-10 19:25:51
A:
if you are sure there's no / or .. in $_GET['page'], and that the visitor is allowed to view any php file in the pages dir, i think it's okay.
p4bl0
2009-07-10 19:32:03
+4
A:
The "better" way to do this is to have an array of the allowed pages, then do something like this:
$page = $_GET['page'] . '.php';
if(in_array($page, $all_pages)) {
include('pages/' . $page);
}
You could easily get a list of all allowed pages by doing something like this:
$all_pages = glob('pages/*.php');
Paolo Bergantino
2009-07-10 19:35:27
thats smart, thanks
2009-07-10 20:29:50
A:
Use basename() to make sure there's no path information being supplied :
$page = sprintf("%s/%s.php", "pages", basename($_GET['page']));
if (file_exists($page)) {
include $page;
}
else {
echo "The page '$page' does not exist =(";
}
Ken Keenan
2009-07-10 19:43:23