rossh Posted October 18, 2006 Share Posted October 18, 2006 Hi i have a simple CMS which i hope to implement in my site, however i have an issues with security and i was hoping someone could advise me on.My current method of a simple CMS. I have an index.php file which is my template. in the content i have an include with a $page variable which i get from $_GET['page']. I know there are security issues with using variables in an include and i have a function which can deal with user entering malicous data in the url:-function checkPage($page){ $page = $page; if(eregi("^[a-z0-9\-_\/.]+$", $page, $regs)) //make sure $page is alphanumeric{ $dir = "content/"; //not strictly necessary, can be blank. $ext = ".htm"; //.php, .html, .txt, whatever if(file_exists($dir . $page . $ext)){ include($dir . $page . $ext); //or readfile if not expecting php code } else echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>'; //or something similar } else echo '<H1>Object not found!</H1><h2>Error 404</h2><p>The requested URL was not found on this server.</p>'; }}I was wondering if someone could tell me if this is a good enough solution or if my CMS is going to be vulnerable and put the server at risk? Is there a better solution, without using a third party product free or otherwise?Thanks Ross Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted October 18, 2006 Share Posted October 18, 2006 Just do this: [code]<?php$pages = array( // GET var => file 'page1' => 'page1.php', 'page2' => 'page2.php', 'home' => 'home.php', );if(in_array($_GET['page'],$modules) && file_exists("pages/{$_GET['page']}")){ // do stuff}else { echo "No such page";}?>[/code] Quote Link to comment Share on other sites More sharing options...
rossh Posted October 18, 2006 Author Share Posted October 18, 2006 Thanks for getting back to me. Isn't this a bit restrictive. If i have a large number of pages i don't want to put them into an array each time? Is this the only way to really be sure?thanksR Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted October 18, 2006 Share Posted October 18, 2006 You can create the array dynamically.Imagine you have your page files called this: *page*.page.phpThen you could use this code to do it: [code]<?php$dir = "files";$modules = array();$dh = opendir($dir);while($file = readdir($dh)){ $module_name = explode('.',$file); if($module_name[count($module_name)-2] === 'page') { unset($module_name[count($module_name)-1]); unset($module_name[count($module_name)-1]); $modules[] = join('.',$module_name); }}$_GET['page'] = strtolower($_GET['page']);if(in_array($_GET['page'],$modules)){ include "{$dir}/{$_GET['page']}.page.php";}else { echo "The page '{$_GET['page']}' do not exist.";}?>[/code] Quote Link to comment Share on other sites More sharing options...
rossh Posted October 18, 2006 Author Share Posted October 18, 2006 Hi Thanks for this i'll give it a try!Ross Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.