intodesi Posted April 19, 2008 Share Posted April 19, 2008 Just wondering if the following code was safe to use, I have read alot of these types of php scripts (for lack of a better word) and they they can allow malicious users to pass unwanted code through this. Its for a simple navigation menu and it all works out as far as I can see, so just wanted to verify its safety. Thanks Intodesi <? $pass = array('web','services','print','pricing','other','main','host','grx','contact','referrals','links','clientlogin','pricewatch'); if (in_array($_GET['p'], $pass)) { include ($_SERVER['DOCUMENT_ROOT'] . '/pages/' . $_GET['p'] . '.php'); } elseif (in_array($_GET['c'], $pass)) { include ($_SERVER['DOCUMENT_ROOT'] .'/clients/'. $_GET['c'] .'.php'); } else { include ($_SERVER['DOCUMENT_ROOT'] .'/pages'. '/main.php'); } ?> Link to comment https://forums.phpfreaks.com/topic/101917-solved-is-this-php-code-secure-to-use-in-a-live-enviroment/ Share on other sites More sharing options...
jonsjava Posted April 19, 2008 Share Posted April 19, 2008 looks secure to me, because you are comparing the GET var to your array. You aren't just letting anything through. Link to comment https://forums.phpfreaks.com/topic/101917-solved-is-this-php-code-secure-to-use-in-a-live-enviroment/#findComment-521578 Share on other sites More sharing options...
discomatt Posted April 19, 2008 Share Posted April 19, 2008 That's exactly how I would do it. I can't see any way to exploit that Link to comment https://forums.phpfreaks.com/topic/101917-solved-is-this-php-code-secure-to-use-in-a-live-enviroment/#findComment-521582 Share on other sites More sharing options...
intodesi Posted April 19, 2008 Author Share Posted April 19, 2008 Thank you.. the one I was using before i guess was the unsafe way. Thanks again for letting me know. Intodesi //$p = $_GET['p']; // $c = $_GET['p']; //if ( !empty($p) && file_exists('./pages/' . $p . '.php') && stristr( $p, '.' ) == False ) //{ //$file = './pages/' . $p . '.php'; //} //elseif ( !empty($c) && file_exists('./clients/' . $c . '.php') && stristr( $c, '.' ) == False ) //( //$file = './clients/' . $c . '.php'; // ) // else //{ // $file = './pages/main.php'; //} // include $file; Link to comment https://forums.phpfreaks.com/topic/101917-solved-is-this-php-code-secure-to-use-in-a-live-enviroment/#findComment-521620 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.