How to make this navigation secure?!

[DDisguise]

globals.php (snippet)

function displayPage() {
$dir = "content/"
if(isset($_GET['PID'])) {
	$page = $_GET['PID'];
	if(file_exists($dir.$page.'.php')) {
				   include($dir.$page.'.php');
	}
	else {
		include($dir."home.php");
	}
}
else {
	include($dir."home.php");
}
}

 

index.php (snippet)

include("ssi/globals.php");
....
<body>
<?php displayPage(); ?>
</body>
....

 

NOW, this works fine and dandy for all the files which exist in content/ and it displays home.php if the file does not exist in /content/ the problem is, i can still put "index.php?PID=../file" and if the file exists then it still includes it, even outside of the /content/ folder...this could be very troublesome - especially if some ass decides to type in PID=../index

 

Please help, I know i can just use switch($page) but the website is going to be very dynamic - lots of addition of new pages, no time to update globals.php each time a new page is added.

 

So, please help?

[dzelenika]

You should filter visitors input or make list of allowed pages for inclusion.

 

[gevans]

Hey buddy,

 

Two options you could look at are;

 

1. Have an allowed page list. All the pages that are allowed can be stored in array, then check that $_GET['pid'] is in the array of allowed pages.

 

2. Clean the string up a bit. If all the pages are alphanumeric, make sure their are no non-alphnumeric characters in $_GET['pid']

[DDisguise]

Well an $allowed array would have the same problem as using switch - no time to update for each newly created page...

I guess if each page was numeric only? (1.php, 2.php etc)

but then how would that work?

i don't know the function to perform on $_GET['PID'] to achieve this?

[gevans]

I populate an allowed list from a db table that stores my page names. An exmple of it in use (without db).

 

<?php
$allowed = array(
"home",
"contact",
"help"
);
$page = $_GET['pid'];
if(in_array($page, $allowed)) {
//its allowed
} else {
//shoot them to the home page
}

 

For my second option above you can use a simple bit of regex to test the characters of the string. If any of them are not alphnumeric (if that is the desired case) send them to the home page.

[DDisguise]

ok, for now i've managed to get this to work for me:

 

<?php
....
if(isset($_GET['PID'])) {
	$page = preg_replace("/[^0-9]/", "", $_GET['PID']);
	if(file_exists($page.'.php')) {
				   include($page.'.php');
	}
	else {
....
?>

 

So it takes whatever's in PID and removes any non-numerical characters....

so PID=jasdasdm.{{3kjhd

displays page 3

 

and PID=pjasdn/$#%

displays the default

 

I guess this will work

 

thanks guys

 

Although, while I'm here, what's regex?

[Richard]

Hopefully this will help you, I commented it throughout. This method uses a "whitelist" of allowed pages.

 

   
<?php
$path = 'content'; // no trailing slash
$ext = '.php';

// Build an array of our pages
$page_list = array('page1', 'page2', 'page3', '404');

$pid = isset($_GET['PID']) ? (string) $_GET['PID'] : 0;

// Check to see if there is a key assigned to that page number using the array_key_exists() function
if ($page = in_array($pid, $page_list) ? $page_list[$pid] : false) 
{
// If in the unlikely event the page is not found on the server, output a 404 message. else assign our $pid to $page.
$page = file_exists($path . '/' . $page . $ext) ? $page_list[$pid] : $page_list['404'];

// Include either of our pre defined pages. Either 404, page1, page2, page3
include($path . '/' . $page . $ext);
} 
else 
{
// Stop script execution.
exit('Do not manipulate the URL.');
}