How can I sanitize my include statements?

Question

How do I clean this so users can\'t pull pages outside of the local domain?

Answer 1

This isn't tested. I just wrote it up real quick, but it should work (I hope) and it'll definitely provide you a base for where to get started.

define('DEFAULT_PAGE', 'home.php');
define('ALLOWED_PAGES_EXPRESSION', '^[\/]+\.php$|^[\/]+\.html$');

function ValidateRequestedPage($p)
{
    $errors_found = False;

        // Make sure this isn't someone trying to reference directories absolutely.
    if (preg_match('^\/.+$', $p))
    {
        $errors_found = True;
    }

        // Disable access to hidden files (IE, .htaccess), and parent directory.
    if (preg_match('^\..+$', $p))
    {
        $errors_found = True;
    }


        // This shouldn't be needed for secure servers, but test for remote includes just in case...
    if (preg_match('.+\:\/\/.+', $p))
    {
        $errors_found = True;
    }

    if (!preg_match(ALLOWED_PAGES_EXPRESSION, $p))
    {
        $errors_found = True;
    }

    return !$errors_found;
}

if (!isset($_GET['page'])) { $page = DEFAULT_PAGE; }
else { $page = $_GET['page']; }

if ( !ValidateRequestedPage($page) )
{
    /* This is called when an error has occured on the page check. You probably
       want to show a 404 here instead of returning False. */
    return False;
}

// This suggests that a valid page is being used.
require_once($page);