Jump to content

[SOLVED] Is this secure?

Altec

By Altec
in PHP Coding Help

 Share

Recommended Posts

Altec Member

Altec

Posted
Posted

I'm currently re-developing my personal site. Instead of using Wordpress, Joomla, or even a custom CMS, I'm using a really basic include() system. I'm using this code:

<?php

$pages = array('home','scripts','media','archives','contact','about');
$page = (in_array($_GET['page'],$pages) && !empty($_GET['page'])) ? trim(stripslashes(strip_tags($_GET['page']))) : 'naughty';
if($page != 'naughty') {
    require('./pagecontent/'.$page.'.php');
}

?>

After the correct page is required I then run grabmenu() and grabcontent() which are functions inside the included page file that output the menu and the content, respectively, for that page.

 

What I'm concerned about is the require function that includes the page file. I've heard to never use such a technique because hackers could potentially include files form their server. As it is, I don't see a hole that would cause that to happen. However, I'm wondering if someone more knowledgeable than me spots a problem. :)

 

EDIT: I should also mention I'm using this inside the included files:

if(!defined('SITE')) {
    die('You cannot access this content directly.');
}

Link to comment
https://forums.phpfreaks.com/topic/162279-solved-is-this-secure/
Share on other sites
Alex Advanced Member

Alex

Posted
Posted

There's no need for all that. If you've confirmed that it's already a valid value (in array), there's no need to strip anything from it.

 

$pages = array('home','scripts','media','archives','contact','about');
$page = (in_array($_GET['page'],$pages) ? $_GET['page'] : false;
if($page) {
    require('./pagecontent/'.$page.'.php');
}

Philip Advanced Member

Philip

Posted
Posted

To avoid a notice (undefined index) check to see if they even have the page in the url.

$pages = array('home','scripts','media','archives','contact','about');
$page = (isset($_GET['page']) && in_array($_GET['page'],$pages)) ? $_GET['page'] : 'home';
if($page) {
    require('./pagecontent/'.$page.'.php');
}

 

Also, I put in 'home' as the default if it isn't in the array or not selected, but you could always change that to another page.

Altec Member

Altec

Posted
  • Author
Posted

To avoid a notice (undefined index) check to see if they even have the page in the url.

$pages = array('home','scripts','media','archives','contact','about');
$page = (isset($_GET['page']) && in_array($_GET['page'],$pages)) ? $_GET['page'] : 'home';
if($page) {
    require('./pagecontent/'.$page.'.php');
}

 

Also, I put in 'home' as the default if it isn't in the array or not selected, but you could always change that to another page.

 

Using this the if() check isn't even necessary, correct?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.