PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<?php $page = $_GET['id'];
if(!ctype_alnum($page)) // check whether the ID contains only letters and numbers
{
trigger_error('Error: Invalid Page ID passed as URL parameter. This may have been a hacking attempt!', E_USER_ERROR); // create a custom error message and exit the script (E_USER_ERROR is a custom fatal error)
}
require('/scripts/' . $page . '.php');
?>
Which one is beter and how to use the second e.g. ?
maybe you can ugest somethiing better ! ?
Last edited by spamyboy on Thu Jan 05, 2006 5:11 am, edited 1 time in total.
<?php
$default = 'index';
$base_dir = '/var/www/files/';
if (isset($_GET['page']) {
$path = $base_dir . $_GET['page'] . '.txt';
// make sure file exists, is readable and that it comes from the directory where i want it to come from
if (file_exists($path) && is_readable($path) && substr(realpath($path), 0, strlen($base_dir)) == $base_dir) {
include $path;
} else {
include $base_dir . $default . '.txt';
}
}
?>
I was pointing out to someone who replied that the fixed list was a good idea for small sites, but that an unprotected dynamic version (where $_GET['id'] was not filtered) could be exploited for path traversal or worse, code injection.
Your original version was I recall just fine - no errors or problems.
Your version looks fine... I think that's what Maugrim_the_Reaper was saying. Because you're actually checking a predefined list it's secure enough anyway
NOTE : Please can you try to name your thread subjects a little better. For example: "Compare these two scripts"
Sorry if I gave that impression - it was directed at someone else completely who replied to your post. They recommended another version which did contain a security exploit - your script contains none since you utilise a predefined list and a comparison against the user input (you don't use the input directly).