PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<html>
<body>
<?php
echo 'hello<br/>';
/*
The purpose here is to validate the filepath of the $page variable,
that is being passed to the include function, in order to confirm
it's validity, and safeness.
*/
$paths = ['/good/', '/alsogood/', '/evenBetter/'];
$badpaths = ["http://", "txt", "/ect/"];
for ($i = 0, $i <= count($paths), $i++){
$pos = strpos($page, $paths[$i]);
if ($pos === false){
echo '<p>no way!</p>';
break;
}
else{
for($a = 0, $a <= count($badpaths), $a++){
$pos = $strpos($page, $badpaths[$a];
if ($pos == true){
break;
}
else{
include('$page');
break;
}
?>
</body>
</html>
The first thing that pops out at me is the single quotes (and use of quotes, period) in the include statement.
Also, when validating the URI, you should have rules for what *is* valid rather than what's invalid. Anything that isn't a valid page should be treated as a 404.
Also, the smartest thing is to simply not allow user input to determine what is included. I don't support conditional includes.