PHP INCLUDE CODE-SECURITY ADVICE PLEASE

[flashback]

<?php
if ($_REQUEST['id'] == "") {
  include "news.html";
}
else {
  include $_REQUEST['id'].".html";
}
?>


how do I secure this code so people can't load pages outside from my server

some guy tried to r57.txt me and pulled my info up..

thanks

[Branden Wagner]

they way i do it is by folder

include("includes/". $_REQUEST['file']);

that way worse comes to worse he pulled up a public file...
in the includes directory i only put files that ANYONE can see

[mainewoods]

I don't know if I'm supposed to mention the competion here, but the best page I ever found on php include security is here:

http://www.phpbuilder.com/annotate/message.php3?id=1018208

--read the replies at the bottom of the page

[JaGeK]

[quote author=Branden Wagner link=topic=101505.msg401828#msg401828 date=1153608019]they way i do it is by folder

include("includes/". $_REQUEST['file']);[/quote]

This doesn't make any sense, if you don't use a function like basename(). Otherwise the "hacker" can still put something like file=../../top.secret in the request data and access more or less everything the webserver user is allowed to.

Better take an array with elements containing the allowed files, something like:

[code=php:0]<?php
$includes = array(
              'news' => 'news.html',
              'home' => 'home.html',
              //      ...
            );
                     
if (!empty($_GET['id']) && isset($includes[$_GET['id']])) {
    $include = $_GET['id'];
} else {
    $include = 'news';
}

include $includes[$include];
?>[/code]

[number9dream]

Maybe not the most helpful advice, but [b]never trust user input[/b]!

$_REQUEST is supplied directly by the user, and so it is pure madness to call files based on this input.

I would suggest that you need to rethink your structure from scratch, if security is something you are concerned about.

At a bare minimum,you need to analyse (and sanitise) this data in order that it can only match pages that you intend to be public.