Love2c0de Posted September 28, 2013 Share Posted September 28, 2013 Good evening all, I wanted to know just one thing really and the reasons why if the answer is yes. Is it dangerous to search your website directory for HTML template file names to match them against a $_GET variable in order to display the correct page? Thanks for your time. Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/ Share on other sites More sharing options...
Ch0cu3r Posted September 28, 2013 Share Posted September 28, 2013 No, as long as you're handing the $_GET variable safely. Such as don't do include $_GET['page']; Make sure you check that what $_GET is requesting is a file that exists in the location you expect it be in. Only except filenames not file paths. Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451613 Share on other sites More sharing options...
Love2c0de Posted September 28, 2013 Author Share Posted September 28, 2013 Good evening, Thanks for the reply. Well, what I do is scan the directory where the HTML template pages are stored and check the $_GET variables value against values within the directory array using in_array(). Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451614 Share on other sites More sharing options...
Ch0cu3r Posted September 28, 2013 Share Posted September 28, 2013 (edited) An alternative is to use file_exists // absolute path to templates $template_dir = $_SERVER['DOCUMENT_ROOT'] . '/templates/'; if(isset($_GET['page'])) { // only get the filename $filename = pathinfo($_GET['page'], PATHINFO_FILENAME); $filepath = $template_dir . $filename . '.html' if(file_exists($filepath)) { // ok include $filepath; } } Edited September 28, 2013 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451616 Share on other sites More sharing options...
Love2c0de Posted September 30, 2013 Author Share Posted September 30, 2013 Good afternoon Ch0cu3r, Thank you very much for your feedback. I've not had chance to test the code out but was looking for an alternative similar to what I had and I think this is it. In your opinion, what would be the most secure way to achieve what I want and what are the potential security issues with both? Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451853 Share on other sites More sharing options...
adoado Posted October 18, 2013 Share Posted October 18, 2013 There are several key points here: Make sure you logically enforce what pages are allowed to be called. Note that you may have product requirements in your head (cannot access page X without requirement Y) but this must be enforced inside this layer. You are exposing page names externally. This may not be an issue - depends on your situation (people can very easily guess that an admin page might exist at ?page=admin) Quote Link to comment https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1454387 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.