Jump to content

Archived

This topic is now archived and is closed to further replies.

Love2c0de

Is it dangerous to....?

By Love2c0de, in Application Design

Recommended Posts

Love2c0de    12

Love2c0de
Posted

Good evening all,

 

I wanted to know just one thing really and the reasons why if the answer is yes.

 

Is it dangerous to search your website directory for HTML template file names to match them against a $_GET variable in order to display the correct page?

 

Thanks for your time.

 

Kind regards,

 

L2c.

Share this post

Link to post
Share on other sites

Ch0cu3r    255

Ch0cu3r
Posted

No, as long as you're handing the $_GET variable safely. Such as don't do

include $_GET['page'];

Make sure you check that what $_GET is requesting is a file that exists in the location you expect it be in. Only except filenames not file paths.

Share this post

Link to post
Share on other sites

Love2c0de    12

Love2c0de
Posted

Good evening,

 

Thanks for the reply.

 

Well, what I do is scan the directory where the HTML template pages are stored and check the $_GET variables value against values within the directory array using in_array().

 

Kind regards,

 

L2c.

Share this post

Link to post
Share on other sites

Ch0cu3r    255

Ch0cu3r
Posted

An alternative is to use file_exists

// absolute path to templates
$template_dir  = $_SERVER['DOCUMENT_ROOT'] . '/templates/';

if(isset($_GET['page']))
{
    // only get the filename
    $filename = pathinfo($_GET['page'], PATHINFO_FILENAME);

    $filepath = $template_dir . $filename . '.html'

    if(file_exists($filepath))
    {
         // ok
    	include $filepath;
    }
}

Share this post

Link to post
Share on other sites

Love2c0de    12

Love2c0de
Posted

Good afternoon Ch0cu3r,

 

Thank you very much for your feedback. I've not had chance to test the code out but was looking for an alternative similar to what I had and I think this is it.

 

In your opinion, what would be the most secure way to achieve what I want and what are the potential security issues with both?

 

Kind regards,

 

L2c.

Share this post

Link to post
Share on other sites

adoado    0

adoado
Posted

There are several key points here:

  • Make sure you logically enforce what pages are allowed to be called. Note that you may have product requirements in your head (cannot access page X without requirement Y) but this must be enforced inside this layer.
  • You are exposing page names externally. This may not be an issue - depends on your situation (people can very easily guess that an admin page might exist at ?page=admin)

Share this post

Link to post
Share on other sites
Go To Topic Listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept