Page 1 of 1

Securing include() code.

Posted: Sat Jul 07, 2007 1:38 pm
by mabufo
Would this be a viable solution to securing an include() call in a php script to protect from injection?

Code: Select all

<html>
<body>
<?php

echo 'hello<br/>';

/*
The purpose here is to validate the filepath of the $page variable,
that is being passed to the include function, in order to confirm 
it's validity, and safeness.
*/
$paths = ['/good/', '/alsogood/', '/evenBetter/'];
$badpaths = ["http://", "txt", "/ect/"];

for ($i = 0, $i <= count($paths), $i++){
	$pos = strpos($page, $paths[$i]);
	if ($pos === false){
		echo '<p>no way!</p>';
		break;
		}	
	else{
		for($a = 0, $a <= count($badpaths), $a++){
			$pos = $strpos($page, $badpaths[$a];
			if ($pos == true){
				break;
				}
			else{
				include('$page');
				break;
				}
		
?>
</body>
</html>

Posted: Sat Jul 07, 2007 2:05 pm
by superdezign
The first thing that pops out at me is the single quotes (and use of quotes, period) in the include statement.

Also, when validating the URI, you should have rules for what *is* valid rather than what's invalid. Anything that isn't a valid page should be treated as a 404.

Also, the smartest thing is to simply not allow user input to determine what is included. I don't support conditional includes.

Posted: Sat Jul 07, 2007 4:07 pm
by feyd
There's a thread linked from Useful Posts that may be of interest.