PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
scottayy wrote:A much more elegant solution would use file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.
file_exists would still be bad. It wouldn't prevent the bad guy from pulling htaccess files etc. The second idea is much better.. or at least a keyword.
$pages=array('main'=>'blah/main.php', 'bio'=>'blah/bio.php', 'fred'=>'/home/fred/public_html/index.php');
if (isset($pages[$_GET['key']])) include $pages[$_GET['key']];
Holly crap, I've a lot of work to do, mainly reading and understanding all the proposed methods. Thanks for all the help, it's great to be able to throw it out there and get a bit of feedback. I suppose the brightest thing would be to find an app that uses such includes and see what steps were took to secure it, or maybe it is such a security risk that no php developer worth a taught would use this method - it might just be a method that's never 100%. The only reason I'm playing with it is I have no time to develop a full site on my skills. I'll improve it over time and develop it from scratch eventually.
<?php
include 'include_pages.php';
// Default page setting
$page = 1;
// See if the user requested something else
if (isset($_GET['page']) && is_numeric($_GET['page']) && array_key_exists($_GET['page'], $include_pages)) {
$page = $_GET['page'];
}
include $include_pages[$page] . '.php';
?>
I am sure this could be secured more, but it is something to think about.
Last edited by RobertGonzalez on Wed Oct 10, 2007 1:08 pm, edited 1 time in total.