[SOLVED] Is this php code secure to use in a live enviroment?

[intodesi]

Just wondering if the following code was safe to use, I have read alot of these types of php scripts (for lack of a better word) and they they can allow malicious users to pass unwanted code through this.

 

Its for a simple navigation menu and it all works out as far as I can see, so just wanted to verify its safety.

 

Thanks

 

Intodesi

 

<?
$pass = array('web','services','print','pricing','other','main','host','grx','contact','referrals','links','clientlogin','pricewatch');

           

        if (in_array($_GET['p'], $pass)) {

            include ($_SERVER['DOCUMENT_ROOT'] . '/pages/' . $_GET['p'] . '.php'); 

        } 

     

        elseif (in_array($_GET['c'], $pass)) {

            include ($_SERVER['DOCUMENT_ROOT'] .'/clients/'. $_GET['c'] .'.php'); 

        }


        else {

                    include ($_SERVER['DOCUMENT_ROOT'] .'/pages'. '/main.php');

        }

?>

[jonsjava]

looks secure to me, because you are comparing the GET var to your array. You aren't just letting anything through.

[discomatt]

That's exactly how I would do it. I can't see any way to exploit that

[intodesi]

Thank you.. the one I was using before i guess was the unsafe way. Thanks again for letting me know.

 

Intodesi

 

//$p = $_GET['p'];
//	$c = $_GET['p'];

	//if ( !empty($p) && file_exists('./pages/' . $p . '.php') && stristr( $p, '.' ) == False ) 
//{
   		//$file = './pages/' . $p . '.php';
//}

//elseif ( !empty($c) && file_exists('./clients/' . $c . '.php') && stristr( $c, '.' ) == False )


//(
	//$file = './clients/' . $c . '.php';

//	)

//	else
//{
   //		$file = './pages/main.php';
//}



//	include $file;