samtwilliams Posted October 20, 2010 Share Posted October 20, 2010 Hi All, I have written the following to validate my dynamic includes, one question is i will be using sessions to control user access to certain pages. Obviously the session_start() has to go into my index.php file. Can anyone see any problems with this or my dynamic include validation code. My page varilable is populated using the mod_rewirte function in appache. <?PHP include('inc/settings.inc.php'); if(isset($_GET['page'])) { //remove slashes $page = stripslashes($_GET['page']); //rebuild the extension and file name $filename = 'lib/'.$page.'.php'; //Check to see if the file exists in lib if (file_exists($filename)) { //Dynamic Switch $allowed = array( array("test", "New Customers"), array("home", "Home Page"), ); $iffed = false; $get_section = $_GET['page']; //Create a dynamic switch to check for files being in my allowed array foreach($allowed as $rd) { if($get_section == $rd[0]) { $iffed = $rd; $content = $filename; foreach($rd as $value) { $page_title = $value; } } } if($iffed === false) { //File is not in my include list. die( "Page does not pass the validated inclusion list." ); } } else { //Page does not exist in my lib folder. die('Page does not exist, please contact the administrator.'); } } else { // If no page is requested then default home. $filename = 'lib/home.php'; $content = '1'; $page_title = 'Home'; } ?> Thanks in advance. Sam Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/ Share on other sites More sharing options...
micah1701 Posted October 20, 2010 Share Posted October 20, 2010 I might not be completely understanding what you're doing with the foreach loops inside a foreach loop - but I would think you could accomplish the same security check by using the in_array() function instead. somthing like: <?php $page = "my-page"; $allowed = array("my-page","some-other-page","etc..."); if(!in_array($page,$allowed)){ exit("You do not have permission to view this page!"); } ?> Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/#findComment-1124490 Share on other sites More sharing options...
phpfreak Posted October 20, 2010 Share Posted October 20, 2010 I would personally try not to use $_GET and file names to include files. You can open yourself up to a whole mess of security issues and this has been the main way that people can get inside information about your machine - provided that you aren't using PHP's security features like open_basedir() or PHP Safe Mode. The best thing to do would be to write a map of files to an ID or something and pass that ID into the $_GET and match it to a hard set of values in your database or an array or some sort. Don't get me wrong, your method will work, but may cause security issues. Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/#findComment-1124493 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.