Page 2 of 2
Posted: Mon Oct 08, 2007 4:46 pm
by mrkite
scottayy wrote:A much more elegant solution would use
file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.
file_exists would still be bad. It wouldn't prevent the bad guy from pulling htaccess files etc. The second idea is much better.. or at least a keyword.
Code: Select all
$pages=array('main'=>'blah/main.php', 'bio'=>'blah/bio.php', 'fred'=>'/home/fred/public_html/index.php');
if (isset($pages[$_GET['key']])) include $pages[$_GET['key']];
or something to that extent.
Posted: Tue Oct 09, 2007 10:21 pm
by glav
Holly crap, I've a lot of work to do, mainly reading and understanding all the proposed methods. Thanks for all the help, it's great to be able to throw it out there and get a bit of feedback. I suppose the brightest thing would be to find an app that uses such includes and see what steps were took to secure it, or maybe it is such a security risk that no php developer worth a taught would use this method - it might just be a method that's never 100%. The only reason I'm playing with it is I have no time to develop a full site on my skills. I'll improve it over time and develop it from scratch eventually.
Thanks again.
Posted: Wed Oct 10, 2007 10:39 am
by RobertGonzalez
Something to consider...
include_pages.php
Code: Select all
<?php
$include_pages = array(1 => 'Page1', 'Page2', 'Page3', 'Page4');
?>
index.php
Code: Select all
<?php
include 'include_pages.php';
echo '<ul>';
foreach ($include_pages as $k => $v) {
echo '<li><a href="dynamic.php?page=' . $k . '">Click to go to ' . $v . '</a></li>';
}
echo '<ul>';
?>
dynamic.php
Code: Select all
<?php
include 'include_pages.php';
// Default page setting
$page = 1;
// See if the user requested something else
if (isset($_GET['page']) && is_numeric($_GET['page']) && array_key_exists($_GET['page'], $include_pages)) {
$page = $_GET['page'];
}
include $include_pages[$page] . '.php';
?>
I am sure this could be secured more, but it is something to think about.
Posted: Wed Oct 10, 2007 11:47 am
by Zoxive
Just for a heads up. Your missing an include in `dynamic.php`.
Posted: Wed Oct 10, 2007 1:07 pm
by RobertGonzalez
Oh crap, you're right. I'll be fixing that shortly.