Page 1 of 1

Is this page include function secure?

Posted: Thu Mar 10, 2005 6:10 pm
by nickvd
I'd appreciate it if someone could check this tiny function for any holes that I can't think of.

Code: Select all

function getPage($page, $default="about", $ext=".html") {
   if (!$page || !file_exists("./".$page.$ext)) $page=$default;
   return $page.$ext;
}
It's use is probably quite obvious. I use it for selecting the page to be included on the main index page by $_GET. This way, only one page containing the layout of the site is needed. I know that using a switch would be 100% secure, however on some sites that i design, there are dozen's of pages that need to be linked to, and doing it this way saves typing :)

usage: <link>/index.php?page=blah

Code: Select all

include(getPage($_GET['page']));

Posted: Thu Mar 10, 2005 6:24 pm
by feyd
it's quite possibly insecure. I could include a file you don't necessarily want to include, or if you provide an upload area I could introduce a properly encoded file that'd run like a normal script.

I'd recommend having a known list of valid, safe files to include, and use that..

Posted: Thu Mar 10, 2005 6:59 pm
by nickvd
I know that that is the major cause of insecurities in scripts like this, but I figured that since i'm checking if the file submitted exists (including the extention that wont be known to the "attacker") anything that they submit wont exist unless they know the file on the server including the extention...

Posted: Thu Mar 10, 2005 7:07 pm
by feyd
overall, it'd probably be very simple to figure out what files you are normally including. If you didn't use include, opting for file_get_contents() for instance, you would avoid running any php code that is in the file.

For the most part, never trust anything that can come from the user.