imagine1 Posted December 24, 2010 Share Posted December 24, 2010 Hi! I would appreciate your help... How can i include files with get and post data in order to avoid sql injections? The including data has utf8 encoding... Any suggestions??? Thanks in advanced!!! Quote Link to comment Share on other sites More sharing options...
johnny86 Posted December 24, 2010 Share Posted December 24, 2010 I don't really know what you mean. But including file isn't that complicated. Example: <?php // Check if file is set and filter it with preg_match, both have to be true to assign a value from $_GET $file = isset($_GET['file'] && preg_match('#[a-z0-9_-]#iu', $_GET['file'])) ? $_GET['file'] : "your_default_include"; if(file_exists($file . '.php')) { include($file . '.php'); } ?> You could also have an array where all allowed files are defined: <?php $files = array( "file1" => "some/path/to/file1.php", "file2" => "more/files/file2.php", "default_file" => "default_file.php" ); $file = isset($_GET['file']) ? $_GET['file'] : "default_file"; include($files[$file]); ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted December 24, 2010 Share Posted December 24, 2010 // Check if file is set and filter it with preg_match, both have to be true to assign a value from $_GET $file = isset($_GET['file'] && preg_match('#[a-z0-9_-]#iu', $_GET['file'])) ? $_GET['file'] : "your_default_include"; if(file_exists($file . '.php')) { include($file . '.php'); } ?> Be careful. index.php?file=index Quote Link to comment Share on other sites More sharing options...
imagine1 Posted December 24, 2010 Author Share Posted December 24, 2010 Thanks a lot for your replies! I have in mind file_get_contents... But when i want to get the content of a file with encoding utf8 or the file has to send data through a form i have problem ... What i want to do is for example... include ("db.php"); The file db.php contains the connections with database and appear error message encoding in utf8 .... or include('form.php'); which contains variables like $_POST['name']; and messages encoding in utf8... Quote Link to comment Share on other sites More sharing options...
imagine1 Posted December 24, 2010 Author Share Posted December 24, 2010 I hope you can understand what i want to do... In the case of including db.php i can't use the above code... So any help??? Thanks a lot in advanced!!! Quote Link to comment Share on other sites More sharing options...
johnny86 Posted December 24, 2010 Share Posted December 24, 2010 Actually now I don't know what you are trying to do at all. =) You asked for help for including files. The keystone there is that you should always have a very strict rules to include files when using $_GET. But what are you actually trying to do? If you have all your files saved as UTF-8, you have your charset headers and meta-tags ok. You have set your PHPs internal encoding to UTF-8 and you have set your MySQL database to UTF-8. And you check request header for charset. And even could try to validate if given data is in utf-8 form and otherwise you could just discard the data and show an error message. There is a function to check if data is valid UTF-8 somewhere in PHP.net user comments. don't remember where tough. If all that is OK. You will have absolutely no worries regarding charsets. What's the problem now? Quote Link to comment Share on other sites More sharing options...
imagine1 Posted December 24, 2010 Author Share Posted December 24, 2010 Can you give an example what you mean by "The keystone there is that you should always have a very strict rules to include files when using $_GET"... I have done all you said about mysql and utf8... I have read to a php tutorial that when you include files by include(../file.php) is valnurable to attacks....So it is suggested to use file_get_contents(../file.php). The problem is that file_get_contents() doesn't work fine when the contents of a page are encoded in utf8 or should send data through a form... Any help???? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.