Securing include() code.
Posted: Sat Jul 07, 2007 1:38 pm
Would this be a viable solution to securing an include() call in a php script to protect from injection?
Code: Select all
<html>
<body>
<?php
echo 'hello<br/>';
/*
The purpose here is to validate the filepath of the $page variable,
that is being passed to the include function, in order to confirm
it's validity, and safeness.
*/
$paths = ['/good/', '/alsogood/', '/evenBetter/'];
$badpaths = ["http://", "txt", "/ect/"];
for ($i = 0, $i <= count($paths), $i++){
$pos = strpos($page, $paths[$i]);
if ($pos === false){
echo '<p>no way!</p>';
break;
}
else{
for($a = 0, $a <= count($badpaths), $a++){
$pos = $strpos($page, $badpaths[$a];
if ($pos == true){
break;
}
else{
include('$page');
break;
}
?>
</body>
</html>