Sanitize $_GET parameters to avoid XSS and other attacks

Question

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.

$page = $_GET['page'];

if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
    !strpos($page, '\\') || !strpos($page, '..')) {
        //append ".php" to $page and include the page

Is there any other thing I can do to furtherly sanitize my input?

Answer 1

$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);

Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.

Answer 2

Define an explicit list of pages you have in your source code and then use it to check the input. Yes, it's more work, but it makes it very clear what is allowed and what is not. For example:

$AVAILABLE_PAGES = array('home', 'news',  ...);
$AVAILABLE_PAGES = array_fill_keys($AVAILABLE_PAGES, 1);

$page = $_GET['page'];
if (!$AVAILABLE_PAGES[$page]) {
   header("HTTP/1.0 404 Not Found");
   die('Page not found.');
}

include "pages/$page.php";

Answer 3

Don't "sanitize" - Attacks are specific to the use of data, not the source. Escape values as you output them instead. See also my answer to What’s the best method for sanitizing user input with PHP?