Page 1 of 1

white list

Posted: Thu Jul 17, 2008 10:27 pm
by SidewinderX
I am including a file that is dependent on a $_GET request. All the files that can/should be included are located in a modules/ directory. Are there any issues with using this method as a white list?

Code: Select all

if(file_exists("modules/" . $_GET['module'] . ".php") {
    require_once("modules/" . $_GET['module'] . ".php");
}
Would it be better to store all valid "modules" in my database and query it? If so, why? (I'd rather not rely on a database if possible, but security is more important.)

Thanks,
John

Re: white list

Posted: Fri Jul 18, 2008 2:25 am
by Benjamin
That isn't a white list. You could put all valid module names into an array in addition to what you are already doing. If a module name does not exist in the array it's not valid. That would be a true white list.

What you have done is only secure if end users cannot manipulate the file being included. For example, what would happen if someone accessed the page using a url such as this:

pagename?../../../../../../home/username/public_html/admin/index