Is it secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
ganjargal
Forum Newbie
Posts: 2
Joined: Tue Aug 24, 2010 12:09 am

Is it secure?

Post by ganjargal »

Code: Select all


function requestFilter( $value = null, $filter = 'integer', $specialcharacters = "" ){
			
			switch($filter){
				
				default:
				case 'integer':
				$value = intval($value);
				break;
				
				case 'latin':					
				$value = preg_replace('#[^a-zA-Z'.$specialcharacters.']#', '', $value);		
				break;
				
			}		
		
		return $value;
		
	}

$admin_modules = array("users", "products", "category", "pages", "shipping", "ordering");

$module = isset($_REQUEST['module']) && !empty($_REQUEST['module']) && in_array($_REQUEST['module'], $admin_modules) ? requestFilter($_REQUEST['module'], "latin") : null;

if(!is_null($module)){

		switch($module){
			
			case "users":
			case "products":	
			case "category":			
			case "pages":		
			case "shipping":		
			case "orders":

			require_once("modules/".$module.".php");	
				
			break;
			
		}
		
	}

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is it secure?

Post by Mordred »

In this instance, it is fine. When used in other contexts it may break if given an array instead of a string.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Is it secure?

Post by Apollo »

Note that merely this:

Code: Select all

$admin_modules = array('users', 'products', 'category', 'pages', 'shipping', 'ordering');
$module = $_REQUEST['module'];
if (in_array($module,$admin_modules,true)) require_once("modules/$module.php");
would be sufficient as well, just as safe and less error-prone (because when adding or removing a module you only have to edit it at one place, rather than the array *and* the switch case).
Post Reply