How can I sanitize my include statements?
How do I clean this so users can\'t pull pages outside of the local domain?
-
// get the absolute file name of the page we want to see $page = realpath($_GET['page']); // get the directory in which pages are $mydir = dirname(__FILE__); // see if the included page is inside this allowed dir if ($page === false || substr($page, 0, strlen($mydir) != $mydir) { die('go away hacker'); } else { include $page; }讨论(0) -
The safest way is to whitelist your pages:
$page = 'home.php'; $allowedPages = array('one.php', 'two.php', ...); if (!empty($_GET['page']) && in_array($_GET['page'], $allowedPages)) $page = $_GET['page']; include $page;讨论(0) -
This isn't tested. I just wrote it up real quick, but it should work (I hope) and it'll definitely provide you a base for where to get started.
define('DEFAULT_PAGE', 'home.php'); define('ALLOWED_PAGES_EXPRESSION', '^[\/]+\.php$|^[\/]+\.html$'); function ValidateRequestedPage($p) { $errors_found = False; // Make sure this isn't someone trying to reference directories absolutely. if (preg_match('^\/.+$', $p)) { $errors_found = True; } // Disable access to hidden files (IE, .htaccess), and parent directory. if (preg_match('^\..+$', $p)) { $errors_found = True; } // This shouldn't be needed for secure servers, but test for remote includes just in case... if (preg_match('.+\:\/\/.+', $p)) { $errors_found = True; } if (!preg_match(ALLOWED_PAGES_EXPRESSION, $p)) { $errors_found = True; } return !$errors_found; } if (!isset($_GET['page'])) { $page = DEFAULT_PAGE; } else { $page = $_GET['page']; } if ( !ValidateRequestedPage($page) ) { /* This is called when an error has occured on the page check. You probably want to show a 404 here instead of returning False. */ return False; } // This suggests that a valid page is being used. require_once($page);讨论(0) -
Just use a switch statement.
Check if the $_GET var is set and then run it through the cases and have the default go to home.php
讨论(0)
加载中...
- 热议问题