white list

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

white list

Post by SidewinderX »

I am including a file that is dependent on a $_GET request. All the files that can/should be included are located in a modules/ directory. Are there any issues with using this method as a white list?

Code: Select all

if(file_exists("modules/" . $_GET['module'] . ".php") {
    require_once("modules/" . $_GET['module'] . ".php");
}
Would it be better to store all valid "modules" in my database and query it? If so, why? (I'd rather not rely on a database if possible, but security is more important.)

Thanks,
John
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: white list

Post by Benjamin »

That isn't a white list. You could put all valid module names into an array in addition to what you are already doing. If a module name does not exist in the array it's not valid. That would be a true white list.

What you have done is only secure if end users cannot manipulate the file being included. For example, what would happen if someone accessed the page using a url such as this:

pagename?../../../../../../home/username/public_html/admin/index
Post Reply