Enable security

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
$page = realpath('includes/'.$_GET['page'].'.php');
$tpl = realpath('templates/'.$_GET['page'].'.html');
if ($page && $tpl) {
    include $page;
    include $tpl;
} else {
    // log error!
}
} else {
// log error!
}
?>

      

How safe is it to say? Gumbo here on Stack Overflow wrote this.
Dynamic switch-on safety

I want to hear your opinions.

amuses

+1


source to share


4 answers


My first thought is not security, but why in the world would you do this?



+2


source


I'd say it's pretty safe. Just don't let anything write in these folders. PHP files are traditionally found in the root directory of a web server, which is dangerous to start from. Better would be to put the upload files in an area that is completely inaccessible to the outside if a configuration error or .htaccess file goes missing.



+2


source


you include your own code. how safe is it?

0


source


I could see some potential problems in there, especially if the "page" variable contained ".." or other similar things that might allow them to see something they shouldn't.

I do something like this on several of my sites, but check the "page" first to make sure it links to one of the valid pages.

0


source







All Articles