include user input

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
paintballa_4life2006
Forum Newbie
Posts: 4
Joined: Thu Jun 22, 2006 5:41 am

include user input

Post by paintballa_4life2006 »

I've written an index.php that includes a header, footer, site navigation, and also content that is selected by a variable named view. I'm not really too sure if my code is safe or not. GPC_Magic_Quotes is enabled. I have posted the relevant code below. Please let me know if there are any security issues with this, and what? Your help is appreciated, thank you.

Code: Select all

$valid_pages = array(    "home"    => "home.php", 
            "search"    => "search.php", 
            "about"    => "about.php", 
            "contact"    => "contact.php"); 

$view = trim($_GET['view']); 
$view = strtolower($view); 

foreach($valid_pages as $key => $val) { 
    if($view == $key) { 
        $content = $val; 
    } 
     
    else { 
        $content = "home.php"; 
    } 
} 

include_once($content);
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I don't see any security issues with it. You may want to break out of the foreach loop on the first match though, otherwise $content will probably get set back to home.php

http://www.php.net/manual/en/control-st ... .break.php
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

This "useful post" may be of interest: viewtopic.php?t=36850
paintballa_4life2006
Forum Newbie
Posts: 4
Joined: Thu Jun 22, 2006 5:41 am

Post by paintballa_4life2006 »

astions wrote:I don't see any security issues with it. You may want to break out of the foreach loop on the first match though, otherwise $content will probably get set back to home.php

http://www.php.net/manual/en/control-st ... .break.php
yeah your right about breaking, i hadn't tested it for pages besides home yet, thanks for the tip.

What other methods are there for designing a template page, without having to include the requested content?
Post Reply