Article:		Ten Security Checks for PHP, Part 1
Subject:		get/post
Date:		2003-03-24 07:37:27
From:		anonymous2
$HTTP_*_VARS are NOT obsolete. You need to use these for sites running versions of PHP prior to 4.1.

Showing messages 1 through 3 of 3.

• get/post
  2004-11-17 03:56:54  Lancelotti [View]
  
  
  Cant you use this to security of your incluedes.
  
  $page = "path_to_file/$_GET[page].php";
  // put de get variable in string, and indicated de directory where your subpages are
  
  if (!file_exists($page)) {
  $page = "index.php";
  }
  // if file not exists use the index.php
  
  include($page);
  // include de file
  
  Note. Include all your subpages in path_to_file and your extension may be .php
• get/post
  2004-11-17 15:05:41  Clancy Malcolm | [View]
  
  
  Lancelotti,
  
  The above code provides a little security - it limits people to only including PHP files from the local machine. However, a user can choose ANY PHP file on the machine (subject to the web server's account permissions) and include that file by using a value for page like '../../example'.
  
  You could prevent this by checking the value using a regular expression (maybe '^[a-z_]*$') or by using the realpath function to check that the resulting page is still in the desired directory.
  
  (Note that if you were using the safe_mode setting it would be a bit different, but may still be insecure).
  
  Hope this helps.
  
  Regards,
  Clancy

• get/post
  2003-03-25 08:37:05  bblackmoor [View]
  
  
  $HTTP_POST/GET_VARS are obsolete. No one should be using old versions of PHP. Use $_GET and $_POST.