Securing include() code.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mabufo
Forum Commoner
Posts: 81
Joined: Thu Jul 10, 2003 11:11 pm
Location: Orland Park, IL
Contact:

Securing include() code.

Post by mabufo »

Would this be a viable solution to securing an include() call in a php script to protect from injection?

Code: Select all

<html>
<body>
<?php

echo 'hello<br/>';

/*
The purpose here is to validate the filepath of the $page variable,
that is being passed to the include function, in order to confirm 
it's validity, and safeness.
*/
$paths = ['/good/', '/alsogood/', '/evenBetter/'];
$badpaths = ["http://", "txt", "/ect/"];

for ($i = 0, $i <= count($paths), $i++){
	$pos = strpos($page, $paths[$i]);
	if ($pos === false){
		echo '<p>no way!</p>';
		break;
		}	
	else{
		for($a = 0, $a <= count($badpaths), $a++){
			$pos = $strpos($page, $badpaths[$a];
			if ($pos == true){
				break;
				}
			else{
				include('$page');
				break;
				}
		
?>
</body>
</html>
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

The first thing that pops out at me is the single quotes (and use of quotes, period) in the include statement.

Also, when validating the URI, you should have rules for what *is* valid rather than what's invalid. Anything that isn't a valid page should be treated as a 404.

Also, the smartest thing is to simply not allow user input to determine what is included. I don't support conditional includes.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's a thread linked from Useful Posts that may be of interest.
Post Reply