Jump to content

Recommended Posts

Good evening all,

 

I wanted to know just one thing really and the reasons why if the answer is yes.

 

Is it dangerous to search your website directory for HTML template file names to match them against a $_GET variable in order to display the correct page?

 

Thanks for your time.

 

Kind regards,

 

L2c.

Link to comment
https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/
Share on other sites

Good evening,

 

Thanks for the reply.

 

Well, what I do is scan the directory where the HTML template pages are stored and check the $_GET variables value against values within the directory array using in_array().

 

Kind regards,

 

L2c.

Link to comment
https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451614
Share on other sites

An alternative is to use file_exists

// absolute path to templates
$template_dir  = $_SERVER['DOCUMENT_ROOT'] . '/templates/';

if(isset($_GET['page']))
{
    // only get the filename
    $filename = pathinfo($_GET['page'], PATHINFO_FILENAME);

    $filepath = $template_dir . $filename . '.html'

    if(file_exists($filepath))
    {
         // ok
    	include $filepath;
    }
}
Edited by Ch0cu3r
Link to comment
https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451616
Share on other sites

Good afternoon Ch0cu3r,

 

Thank you very much for your feedback. I've not had chance to test the code out but was looking for an alternative similar to what I had and I think this is it.

 

In your opinion, what would be the most secure way to achieve what I want and what are the potential security issues with both?

 

Kind regards,

 

L2c.

Link to comment
https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1451853
Share on other sites

  • 3 weeks later...

There are several key points here:

  • Make sure you logically enforce what pages are allowed to be called. Note that you may have product requirements in your head (cannot access page X without requirement Y) but this must be enforced inside this layer.
  • You are exposing page names externally. This may not be an issue - depends on your situation (people can very easily guess that an admin page might exist at ?page=admin)
Link to comment
https://forums.phpfreaks.com/topic/282511-is-it-dangerous-to/#findComment-1454387
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.