Is this page-fetcher safe?

[selbekk]

I have a quick question... havent done php in ages, and now im trying to write a code snippet that fetches the correct page, and includes it in the main web page. Would this be safe, or could people hack it very easily?

<?php
	if(isset($_GET['page'])) { // If page is requested in url, fetch it

		$pages = array("home", "aboutme", "projects", "resume", "contact"); // Lists accepted pages in array
		if in_array(($_GET['page']), $pages) {
			include_once($_GET['page'].".php");  // If page requested is in the array, include page
		} else echo "I am sorry, I could not find the requested page on the server. Please try again.";
	?>

 

thanks =)

 

 

[micah1701]

that looks pretty good.

 

as long as your site doesn't have any places where a person can post php code back to your site and could override your $pages array.

[Zhadus]

Instead of matching it against an array, I just check to see if the file exists. Although I'm not sure if it's any safer.

[selbekk]

thanks! :-)

 

i guess the only really advantage with checking if the file exists, is making it easier to add new pages to my site. But since i dont know how to do that, this will do for now... again thank you for helping =)

[Zhadus]

Otherwise this is what I have after my isset()

$file = $page . ".php";
if (!file_exists($file)) {
$page = "main";
}

 

For mine I don't tell them that there is an error finding the page (I don't have enough pages to worry about dead links), I just redirect to my home page.