samtwilliams Posted October 20, 2010 Share Posted October 20, 2010 Hi All, I have written the following to validate my dynamic includes, one question is i will be using sessions to control user access to certain pages. Obviously the session_start() has to go into my index.php file. Can anyone see any problems with this or my dynamic include validation code. My page varilable is populated using the mod_rewirte function in appache. <?PHP include('inc/settings.inc.php'); if(isset($_GET['page'])) { //remove slashes $page = stripslashes($_GET['page']); //rebuild the extension and file name $filename = 'lib/'.$page.'.php'; //Check to see if the file exists in lib if (file_exists($filename)) { //Dynamic Switch $allowed = array( array("test", "New Customers"), array("home", "Home Page"), ); $iffed = false; $get_section = $_GET['page']; //Create a dynamic switch to check for files being in my allowed array foreach($allowed as $rd) { if($get_section == $rd[0]) { $iffed = $rd; $content = $filename; foreach($rd as $value) { $page_title = $value; } } } if($iffed === false) { //File is not in my include list. die( "Page does not pass the validated inclusion list." ); } } else { //Page does not exist in my lib folder. die('Page does not exist, please contact the administrator.'); } } else { // If no page is requested then default home. $filename = 'lib/home.php'; $content = '1'; $page_title = 'Home'; } ?> Thanks in advance. Sam Quote Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/ Share on other sites More sharing options...
micah1701 Posted October 20, 2010 Share Posted October 20, 2010 I might not be completely understanding what you're doing with the foreach loops inside a foreach loop - but I would think you could accomplish the same security check by using the in_array() function instead. somthing like: <?php $page = "my-page"; $allowed = array("my-page","some-other-page","etc..."); if(!in_array($page,$allowed)){ exit("You do not have permission to view this page!"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/#findComment-1124490 Share on other sites More sharing options...
phpfreak Posted October 20, 2010 Share Posted October 20, 2010 I would personally try not to use $_GET and file names to include files. You can open yourself up to a whole mess of security issues and this has been the main way that people can get inside information about your machine - provided that you aren't using PHP's security features like open_basedir() or PHP Safe Mode. The best thing to do would be to write a map of files to an ID or something and pass that ID into the $_GET and match it to a hard set of values in your database or an array or some sort. Don't get me wrong, your method will work, but may cause security issues. Quote Link to comment https://forums.phpfreaks.com/topic/216381-dynamic-include-files-and-securityperformance/#findComment-1124493 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.