tags:

views:

338

answers:

2

How safe would you say this is?

$pages = array("about", "help", "login");
$pagesWithId = array("shownews", "showuser", "showfile");

if (in_array($_GET['page'], $pages)) {
  include('includes/'.$_GET['page'].'.php');
  include('templates/'.$_GET['page'].'.html');
}

foreach ($pagesWithId as $page) {
    if (ctype_digit($_GET[$page])) {
    include('includes/'.$page.'.php');
    include('templates/'.$page.'.html');
}
}

You see any potential threats?

Thanks

+3  A: 

It's safe.

What's not safe is allowing someone to build an arbitrary URL which you then include.

Here you're limiting the possible replacements to one of several known quantities, therefore it is safe.

Jason Cohen
+1  A: 

It is safe because nobody can inject a string that makes your code read from a remote URL. But make sure your 404 page doesn't show the URL in a manner that could allow somebody to type HTML/Javascript into the GET parameters.

A non-security related question: Will that be deployed with the PHP arrays storing the lists of pages?

Rishabh Mishra