need help making my code secure (only 9 lines)

[runnerjp]

hey guys

 

i use this

 

<?php 
if (isset($_GET['section'])) {
  $section = $_GET['section'];
} else {
  $section = 'main';
}
$file = "include/".$section.".php";
if (file_exists($file)) {
    require($file);
} 
?> 

 

but i dnt seem to think its secure lol

[crashmaster]

                <?
                    $page = $_GET['page'];
                    if (ereg('[A-Za-z0-9]',$page) ) {
                        if (file_exists('pages/'.$page.'.php')) {
                            include('pages/'.$page.'.php');
                        } else {
                            include('pages/main.php');
                        }
                    } else {
                            include('pages/main.php');
                    }
                ?>

[runnerjp]

hey how does it work... do i just make a file pages and add it to there then make my ural like ????

[crashmaster]

no.. For example:

You have folder "pages". In this folder you have several PHP files:

pages/main.php

pages/news.php

pages/compare.php

 

To call this files you have to call it thru URL : index.php?page=main or index.php?page=news or index.php?page=compare

 

All files should have *.php extension.

The name of file should consists only from A-Z a-z 0-9

[runnerjp]

will this be secure enough??

[GingerRobot]

Yes - as long as you are happy that all files in the given directory are accessible.

[runnerjp]

oh yes very much so...could i ask why my old 1 was not?? so i can learn from my mistake hehe

[GingerRobot]

By allowing any characters, you would allow people to include files from anywhere. Consider the following input:

 

../somefile

 

This would allow the user to include somefile.php in the directory below include.