Enable security

Question

Enable security

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
$page = realpath('includes/'.$_GET['page'].'.php');
$tpl = realpath('templates/'.$_GET['page'].'.html');
if ($page && $tpl) {
    include $page;
    include $tpl;
} else {
    // log error!
}
} else {
// log error!
}
?>

How safe is it to say? Gumbo here on Stack Overflow wrote this.
Dynamic switch-on safety

I want to hear your opinions.

amuses

+1

include php

Remy 11 Feb At 13:11

source to share

4 answers

Ian P · Answer 1 · 2009-02-11T13:16:12+0000

My first thought is not security, but why in the world would you do this?

epochwolf · Answer 2 · 2009-02-11T13:18:05+0000

I'd say it's pretty safe. Just don't let anything write in these folders. PHP files are traditionally found in the root directory of a web server, which is dangerous to start from. Better would be to put the upload files in an area that is completely inaccessible to the outside if a configuration error or .htaccess file goes missing.

SilentGhost · Answer 3 · 2009-02-11T13:13:50+0000

you include your own code. how safe is it?

0

SilentGhost 11 Feb 09 at 13:13

source to share

Eric Petroelje · Answer 4 · 2009-02-11T13:21:35+0000

I could see some potential problems in there, especially if the "page" variable contained ".." or other similar things that might allow them to see something they shouldn't.

I do something like this on several of my sites, but check the "page" first to make sure it links to one of the valid pages.

Enable security

More articles: