Jump to content

Archived

This topic is now archived and is closed to further replies.

Love2c0de

Is it dangerous to....?

Recommended Posts

Good evening all,

 

I wanted to know just one thing really and the reasons why if the answer is yes.

 

Is it dangerous to search your website directory for HTML template file names to match them against a $_GET variable in order to display the correct page?

 

Thanks for your time.

 

Kind regards,

 

L2c.

Share this post


Link to post
Share on other sites

No, as long as you're handing the $_GET variable safely. Such as don't do

include $_GET['page'];

Make sure you check that what $_GET is requesting is a file that exists in the location you expect it be in. Only except filenames not file paths.

Share this post


Link to post
Share on other sites

Good evening,

 

Thanks for the reply.

 

Well, what I do is scan the directory where the HTML template pages are stored and check the $_GET variables value against values within the directory array using in_array().

 

Kind regards,

 

L2c.

Share this post


Link to post
Share on other sites

An alternative is to use file_exists

// absolute path to templates
$template_dir  = $_SERVER['DOCUMENT_ROOT'] . '/templates/';

if(isset($_GET['page']))
{
    // only get the filename
    $filename = pathinfo($_GET['page'], PATHINFO_FILENAME);

    $filepath = $template_dir . $filename . '.html'

    if(file_exists($filepath))
    {
         // ok
    	include $filepath;
    }
}

Share this post


Link to post
Share on other sites

Good afternoon Ch0cu3r,

 

Thank you very much for your feedback. I've not had chance to test the code out but was looking for an alternative similar to what I had and I think this is it.

 

In your opinion, what would be the most secure way to achieve what I want and what are the potential security issues with both?

 

Kind regards,

 

L2c.

Share this post


Link to post
Share on other sites

There are several key points here:

  • Make sure you logically enforce what pages are allowed to be called. Note that you may have product requirements in your head (cannot access page X without requirement Y) but this must be enforced inside this layer.
  • You are exposing page names externally. This may not be an issue - depends on your situation (people can very easily guess that an admin page might exist at ?page=admin)

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.