Jump to content

"Router" - Any issues? Comments?

benanamen

By benanamen
in PHP Coding Help

 Share

Recommended Posts

benanamen Prolific Member

benanamen

Posted
Posted

I would like feedback on this basic single site entry procedural code. Any issues, improvements or comments? (included in index.php)

<?php
/*
 * This file: display_pages.php
 * Acts as a Router to display pages
 * Restricts access to certain files
 *
 */

//------------------------------------------------------------------------
// Restrict access to these files
//------------------------------------------------------------------------

// Specify some disallowed paths
$restricted_files = array(
    'header',
    'footer',
    'navbar',
    'menu',
);

//----------------------------------------------------------------------------------------
// Display Pages
//----------------------------------------------------------------------------------------

if (isset($_GET['p']))
    {

    $page = basename($_GET['p']);

    // If it's not a disallowed path, and if the file exists
    if (!in_array($page, $restricted_files) && file_exists("./includes/$page.php"))
        {
        $include = "./includes/$page.php";
        }
    else
        {
        $include = './includes/404.php';
        }
    }
else
    {
    $include = './includes/default.php';
    }
?>
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

Whitelists are better than blacklists: you should specifically list which files are allowed rather than which files are not allowed. You could do that automatically by using scandir() to build an $allowed_files and excluding ".", "..", and the four you don't want (though really putting them in another directory would be better).

Alternatively, you could use ctype_alpha or _alnum on $page to validate that it is only letters/letters and digits.

 

Yes, I know you're basename-ing the page name. That's nice, but this is a matter of principle.

 

Oh. And for SEO you shouldn't use basename as that creates the opportunity for accessing a page through multiple URLs, which is not good. Just do the whitelist/ctype thing.

Link to comment
Share on other sites
benanamen Prolific Member

benanamen

Posted
  • Author
Posted (edited)

Thanks for your feedback.

 

Oh. And for SEO you shouldn't use basename as that creates the opportunity for accessing a page through multiple URLs, which is not good.

 

This is only used in DB backend applications requiring logging in so SEO is of no concern.

Edited by benanamen
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

Definitely use a static(!) whitelist. PHP has a long history of fudging up even basic functions, so I wouldn't trust hacks like the basename() approach. For example, some file operations used to be vulnerable to null byte injections where the user could hide part of the path behind a \0.

 

Trying to fix user input (which is what your basename() ultimately does) is generally a bad idea, because it's error-prone and can cause a lot of confusion. Either accept the input as is, or reject it altogether.

Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.