Page 1 of 1

include user input

Posted: Mon Jul 17, 2006 9:46 pm
by paintballa_4life2006
I've written an index.php that includes a header, footer, site navigation, and also content that is selected by a variable named view. I'm not really too sure if my code is safe or not. GPC_Magic_Quotes is enabled. I have posted the relevant code below. Please let me know if there are any security issues with this, and what? Your help is appreciated, thank you.

Code: Select all

$valid_pages = array(    "home"    => "home.php", 
            "search"    => "search.php", 
            "about"    => "about.php", 
            "contact"    => "contact.php"); 

$view = trim($_GET['view']); 
$view = strtolower($view); 

foreach($valid_pages as $key => $val) { 
    if($view == $key) { 
        $content = $val; 
    } 
     
    else { 
        $content = "home.php"; 
    } 
} 

include_once($content);

Posted: Mon Jul 17, 2006 9:55 pm
by Benjamin
I don't see any security issues with it. You may want to break out of the foreach loop on the first match though, otherwise $content will probably get set back to home.php

http://www.php.net/manual/en/control-st ... .break.php

Posted: Mon Jul 17, 2006 9:58 pm
by feyd
This "useful post" may be of interest: viewtopic.php?t=36850

Posted: Mon Jul 17, 2006 10:06 pm
by paintballa_4life2006
astions wrote:I don't see any security issues with it. You may want to break out of the foreach loop on the first match though, otherwise $content will probably get set back to home.php

http://www.php.net/manual/en/control-st ... .break.php
yeah your right about breaking, i hadn't tested it for pages besides home yet, thanks for the tip.

What other methods are there for designing a template page, without having to include the requested content?