Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | get/post | |
| Date: | 2003-03-24 07:37:27 | |
| From: | anonymous2 | |
| $HTTP_*_VARS are NOT obsolete. You need to use these for sites running versions of PHP prior to 4.1. | ||
Showing messages 1 through 3 of 3.
-
get/post
2004-11-17 03:56:54 Lancelotti [Reply | View]
-
get/post
2004-11-17 15:05:41 ClancyMalcolm [Reply | View]
Lancelotti,
The above code provides a little security - it limits people to only including PHP files from the local machine. However, a user can choose ANY PHP file on the machine (subject to the web server's account permissions) and include that file by using a value for page like '../../example'.
You could prevent this by checking the value using a regular expression (maybe'^[a-z_]*$') or by using therealpathfunction to check that the resulting page is still in the desired directory.
(Note that if you were using the safe_mode setting it would be a bit different, but may still be insecure).
Hope this helps.
Regards,
Clancy
-
get/post
2003-03-25 08:37:05 bblackmoor [Reply | View]
$HTTP_POST/GET_VARS are obsolete. No one should be using old versions of PHP. Use $_GET and $_POST.
$page = "path_to_file/$_GET[page].php";
// put de get variable in string, and indicated de directory where your subpages are
if (!file_exists($page)) {
$page = "index.php";
}
// if file not exists use the index.php
include($page);
// include de file
Note. Include all your subpages in path_to_file and your extension may be .php