mabufo Posted April 11, 2008 Share Posted April 11, 2008 I recently had a look at this article from A list apart: http://www.alistapart.com/articles/phpcms This seems like the perfect simple solution to a small web project that I would be interested in starting. I was wondering however - what sort of security risks accompany this sort of setup? Is there anything I should be worried about? And if so, how can I put some countermeasures in place? I have heard of sending a query to a whitelist stored on a database that holds the names of pages that are okay to load - would that be a viable option? Or is there a more simple solution ? Link to comment https://forums.phpfreaks.com/topic/100669-security-risks-and-includes/ Share on other sites More sharing options...
rhodesa Posted April 11, 2008 Share Posted April 11, 2008 One good way to do it, is keep all your 'pages' in one folder. Then, require the $_GET['page'] variable to match \w+ like so: if(!preg_match('/^\w+$/',$_GET['page'])){ //handle invalid page }else{ require_once("pages/{$_GET['page']}.html"); } By limiting the page names to match \w+ (only letters, numbers, and underscores) it keeps your URLs simple and prevents any injection Link to comment https://forums.phpfreaks.com/topic/100669-security-risks-and-includes/#findComment-514875 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.