Jump to content

[SOLVED] Is this php code secure to use in a live enviroment?


intodesi

Recommended Posts

Just wondering if the following code was safe to use, I have read alot of these types of php scripts (for lack of a better word) and they they can allow malicious users to pass unwanted code through this.

 

Its for a simple navigation menu and it all works out as far as I can see, so just wanted to verify its safety.

 

Thanks

 

Intodesi

 

<?
$pass = array('web','services','print','pricing','other','main','host','grx','contact','referrals','links','clientlogin','pricewatch');

           

        if (in_array($_GET['p'], $pass)) {

            include ($_SERVER['DOCUMENT_ROOT'] . '/pages/' . $_GET['p'] . '.php'); 

        } 

     

        elseif (in_array($_GET['c'], $pass)) {

            include ($_SERVER['DOCUMENT_ROOT'] .'/clients/'. $_GET['c'] .'.php'); 

        }


        else {

                    include ($_SERVER['DOCUMENT_ROOT'] .'/pages'. '/main.php');

        }

?>

Thank you.. the one I was using before i guess was the unsafe way. Thanks again for letting me know.

 

Intodesi

 

//$p = $_GET['p'];
//	$c = $_GET['p'];

	//if ( !empty($p) && file_exists('./pages/' . $p . '.php') && stristr( $p, '.' ) == False ) 
//{
   		//$file = './pages/' . $p . '.php';
//}

//elseif ( !empty($c) && file_exists('./clients/' . $c . '.php') && stristr( $c, '.' ) == False )


//(
	//$file = './clients/' . $c . '.php';

//	)

//	else
//{
   //		$file = './pages/main.php';
//}



//	include $file;

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.