Does the file exist safely?

Question

Does the file exist safely?

if (file_exists("pages/$page.php")) {
  include($page.'.php');
}

It's safe?

With security, I mean you cannot include remote scripts, etc.

+2

security php

Tony 27 Aug 09 at 16:22

source to share

6 answers

St. John johnson · Answer 1 · 2009-08-27T16:27:27+0000

Of course not, especially if $page = "./configuration"

I would recommend replacing it with something like this:

$pages = array("blog", "home", "login");
if (in_array(strtolower($page), $pages))
  include("pages/$page.php");

The EDIT: . You can create this list of valid pages using this code.

$pages = array();
if ($dh = opendir("pages")) {
  while (($file = readdir($dh)) !== false) {
    if (strstr($file, ".php") !== false) // make sure it is a .php file
      $pages[] = substr($file, -4); // remove the .php
  }
  closedir($dh);
}

bucabay · Answer 2 · 2009-08-27T16:25:26+0000

There is a typo in your code which I believe in. It should be:

if (file_exists("pages/$page.php")) {
  include("pages/$page.php");
}

However, it leads to code injection, if PHP settings allow it, remote file inclusion.

You need to make sure that the page you include cannot be an arbitrary page.

Typically you will see this type of code in the "Loader" class using the Factory method, however in good implementations it restricts the files and classes it loads to a specific directory, or to a specific predefined set of files.

MANCHUCK · Answer 3 · 2009-08-27T16:48:23+0000

If $ page is never set, PHP will try to find that it can follow the variable_order directive inside your php.ini. This directive tells PHP about the search order for variables. Since the default is EGPCS for this, a cunning hacker then calls your script and tells you that it includes whatever file PHP has access to.

Example:

www.example.com/?page=dbConfig.ini

pix0r · Answer 4 · 2009-08-27T16:49:48+0000

Storing all possible page names in an array is the safest approach, but you can also be reasonably safe by simply checking the supplied page name and ensuring that you don't have any "dangerous" files in your pages directory.

$page = basename($_GET['page']);
if (file_exists("pages/$page")) {
  include("pages/$page");
} else {
  include("pages/default.php");
}

netrox · Answer 5 · 2009-08-27T18:22:26+0000

Use basename ($ _ REQUEST ['page']) to prevent potential access to other directories and then check if it exists.

http://php.mirror.facebook.net/manual/en/function.basename.php

Chinoto Vokro · Answer 6 · 2013-01-14T18:20:33+0000

As ceejayoz said in bucabay's answer, the requested page could have had a "../" which allows the user to easily break out of where they should be. My answer to another question should serve you well.

fooobar.com/questions/2502299 / ...

If the link freezes: Basically you check the realpath () of the include directory and the requested file, if the realpath () of the file starts with the realpath () of the include directory, it can be included. (I used strpos () == 0 to check if the file path starts with the include path)

Does the file exist safely?

More articles: