include files

[imagine1]

Hi! I would appreciate your help...

 

How can i include files with get and post data in order to avoid sql injections? The including data has utf8 encoding...

 

Any suggestions???

 

Thanks in advanced!!!

[johnny86]

I don't really know what you mean. But including file isn't that complicated.

 

Example:

<?php
// Check if file is set and filter it with preg_match, both have to be true to assign a value from $_GET
$file = isset($_GET['file'] && preg_match('#[a-z0-9_-]#iu', $_GET['file'])) ? $_GET['file'] : "your_default_include";
if(file_exists($file . '.php'))
{
    include($file . '.php');
}
?>

You could also have an array where all allowed files are defined:
<?php
$files = array(
             "file1" => "some/path/to/file1.php",
             "file2" => "more/files/file2.php",
             "default_file" => "default_file.php"
         );
$file = isset($_GET['file']) ? $_GET['file'] : "default_file";
include($files[$file]);
?>

[requinix]

// Check if file is set and filter it with preg_match, both have to be true to assign a value from $_GET
$file = isset($_GET['file'] && preg_match('#[a-z0-9_-]#iu', $_GET['file'])) ? $_GET['file'] : "your_default_include";
if(file_exists($file . '.php'))
{
    include($file . '.php');
}
?>

Be careful.

index.php?file=index

[imagine1]

Thanks a lot for your replies!

 

I have in mind file_get_contents... But when i want to get the content of a file with encoding utf8 or the file has to send data through a form i have problem ...

 

What i want to do is for example...

 

include ("db.php");

 

The file db.php contains the connections with database and appear error message encoding in utf8 ....

 

or include('form.php'); which contains variables like $_POST['name']; and messages encoding in utf8...

[imagine1]

I hope you can understand what i want to do...

 

In the case of including db.php i can't use the above code...

 

So any help???

 

Thanks a lot in advanced!!!

[johnny86]

Actually now I don't know what you are trying to do at all. =)

 

You asked for help for including files. The keystone there is that you should always have a very strict rules to include files when using $_GET.

 

But what are you actually trying to do? If you have all your files saved as UTF-8, you have your charset headers and meta-tags ok. You have set your PHPs internal encoding to UTF-8 and you have set your MySQL database to UTF-8. And you check request header for charset. And even could try to validate if given data is in utf-8 form and otherwise you could just discard the data and show an error message. There is a function to check if data is valid UTF-8 somewhere in PHP.net user comments. don't remember where tough.

 

If all that is OK. You will have absolutely no worries regarding charsets. What's the problem now?

[imagine1]

Can you give an example what you mean by "The keystone there is that you should always have a very strict rules to include files when using $_GET"...

 

I have done all you said about mysql and utf8...

 

I have read to a php tutorial that when you include files by include(../file.php) is valnurable to attacks....So it is suggested to use file_get_contents(../file.php). The problem is that file_get_contents() doesn't work fine when the contents of a page are encoded in utf8 or should send data through a form...

 

Any help????