selbekk Posted April 15, 2008 Share Posted April 15, 2008 I have a quick question... havent done php in ages, and now im trying to write a code snippet that fetches the correct page, and includes it in the main web page. Would this be safe, or could people hack it very easily? <?php if(isset($_GET['page'])) { // If page is requested in url, fetch it $pages = array("home", "aboutme", "projects", "resume", "contact"); // Lists accepted pages in array if in_array(($_GET['page']), $pages) { include_once($_GET['page'].".php"); // If page requested is in the array, include page } else echo "I am sorry, I could not find the requested page on the server. Please try again."; ?> thanks =) Link to comment https://forums.phpfreaks.com/topic/101256-is-this-page-fetcher-safe/ Share on other sites More sharing options...
micah1701 Posted April 15, 2008 Share Posted April 15, 2008 that looks pretty good. as long as your site doesn't have any places where a person can post php code back to your site and could override your $pages array. Link to comment https://forums.phpfreaks.com/topic/101256-is-this-page-fetcher-safe/#findComment-517930 Share on other sites More sharing options...
Zhadus Posted April 15, 2008 Share Posted April 15, 2008 Instead of matching it against an array, I just check to see if the file exists. Although I'm not sure if it's any safer. Link to comment https://forums.phpfreaks.com/topic/101256-is-this-page-fetcher-safe/#findComment-517945 Share on other sites More sharing options...
selbekk Posted April 15, 2008 Author Share Posted April 15, 2008 thanks! :-) i guess the only really advantage with checking if the file exists, is making it easier to add new pages to my site. But since i dont know how to do that, this will do for now... again thank you for helping =) Link to comment https://forums.phpfreaks.com/topic/101256-is-this-page-fetcher-safe/#findComment-517968 Share on other sites More sharing options...
Zhadus Posted April 15, 2008 Share Posted April 15, 2008 Otherwise this is what I have after my isset() $file = $page . ".php"; if (!file_exists($file)) { $page = "main"; } For mine I don't tell them that there is an error finding the page (I don't have enough pages to worry about dead links), I just redirect to my home page. Link to comment https://forums.phpfreaks.com/topic/101256-is-this-page-fetcher-safe/#findComment-517969 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.