if (file_exists("pages/$page.php")) {
include($page.'.php');
}
Is this safe?
With Safe i mean that you cant include remote scripts etc
views:
141answers:
5
+2
A:
The code you posted has a typo i believe. It should be:
if (file_exists("pages/$page.php")) {
include("pages/$page.php");
}
It however leads to code injection, if PHP settings allow it, remote file inclusion.
You need to make sure the page that you include can not be any arbitrary page.
Usually you'll see this type of code in a "Loader" class employing the Factory Method, however, in good implementations it restricts the files and classes it will load to a certain directory, or to a certain predefined set of files.
bucabay
2009-08-27 16:25:26
I am interested in what values of `$page` would lead to remote file inclusion. If you didn't have `'pages/'` at the beginning then you could maybe inject '../' but otherwise I don't see how it's dangerous.
DisgruntledGoat
2009-08-27 16:51:20
`../` can still be injected with `pages/` at the beginning: `pages/../../../../path/to/important/file`.
ceejayoz
2009-08-27 16:53:07
You can include any file on the file system readable by the PHP process and thus pretty much have all access the PHP process has, including it's ability to make a HTTP request to a remote site for some worm or worse.
bucabay
2009-08-27 18:01:12
Everything the web server writes to becomes a target since you now have the ability to read it from PHP. Log files, uploads, caches, database files, all take user input, directly and indirectly.
bucabay
2009-08-27 18:08:13
+6
A:
Certainly not, especially if $page = "./configuration"
I would recommend replacing it with something like this:
$pages = array("blog", "home", "login");
if (in_array(strtolower($page), $pages))
include("pages/$page.php");
EDIT: You can generate that list of acceptable pages with this code.
$pages = array();
if ($dh = opendir("pages")) {
while (($file = readdir($dh)) !== false) {
if (strstr($file, ".php") !== false) // make sure it is a .php file
$pages[] = substr($file, -4); // remove the .php
}
closedir($dh);
}
St. John Johnson
2009-08-27 16:27:27
The point is, you want to list your pages in the array. So you can limit what you can access. Let me give you some alternate code.
St. John Johnson
2009-08-27 16:43:32
+1
A:
If $page is never set, PHP will then try to find what it could be following the variables_order directive inside your php.ini. This directive tells PHP the order in which to find variables. Since the default for this is EGPCS, a cunning hacker then then call your script and tell it to include any file that PHP has access too.
Ex:
www.example.com/?page=dbConfig.ini
MANCHUCK
2009-08-27 16:48:23
+1
A:
Storing all possible page names in an array is the safest approach, but you can also be reasonably safe by simply validating the supplied page name and ensuring that you don't have any "dangerous" files in your pages directory.
$page = basename($_GET['page']);
if (file_exists("pages/$page")) {
include("pages/$page");
} else {
include("pages/default.php");
}
pix0r
2009-08-27 16:49:48
+1
A:
Use basename($_REQUEST['page']) to prevent potential access to other directories then check if it exists.
http://php.mirror.facebook.net/manual/en/function.basename.php
netrox
2009-08-27 18:22:26