nuk3 — Thu, 26 Dec 2002 11:53:38 +0000

I'll keep that code handy, I might need it again..

Mark Hensler — Thu, 26 Dec 2002 04:45:15 +0000

For the record...
if(!preg_match("/^[a-z0-9]+$/i", $page)) {

becomes:
if(!preg_match("/^[a-z0-9_\-]+$/i", $page)) {

nuk3 — Thu, 26 Dec 2002 01:50:49 +0000

No need to worry anymore, I've decided to scrap all the fancy scripting and include the template on each page, thanks for all your help anyway!

nuk3 — Thu, 26 Dec 2002 00:49:49 +0000

How can I make it so underscores and hyphens are allowed to be used? I cant make any sense of that validation code

ROB — Wed, 25 Dec 2002 00:09:32 +0000

also include will return false on failure, so a more compact method of testing success would be...

<?php
include(\"includes/$page.php\") or die(\"Page doesn't exist: $page.php\");

// or

if(!include(\"includes/$page.php\")) { // do something }
?>

Renegade — Tue, 24 Dec 2002 07:01:14 +0000

Yeah, don't you just hate people who do that? They think, just because it's there they should go have a look at it and see what havoc they can do? ...

Mark Hensler — Mon, 23 Dec 2002 07:20:53 +0000

It's always best to be paranoid about data coming into your scripts.

It's a very good idea to pattern match the filename first. That will prevent any wise guys from trying to navigate your filesystem.

The only ideal solution, IMO, is to know which files are allowed to be included. And to only include those files (such as a large CASE selection).

Side note... this IF statement is uneccessary:
if ($file != "." && $file != ".." && $file != ".htaccess") {

nuk3 — Mon, 23 Dec 2002 00:27:09 +0000

Hmmm, overkill it may be, but after reading through it seems allot safer.. What does everyone else think?

Fataqui — Sun, 22 Dec 2002 13:02:24 +0000

This may seem like over kill...

but, I never trust anything coming into my scripts.

I also read into the directory instead of file_exists();
because I have seen it cause trouble on some windows systems!

<?php
// error 1 = bad page name i.e., (\"page\" can only contain (a-z0-9)/i

// error 2 = bad page name i.e., (\"page\" to include does not exist)

// if a error is found redirect to....

$home = \"/members\";

// only allow by [GET METHOD], you can change this!

if (isset($_GET['page'])) {

// define $test....

$test = \"\";

// convert $_GET to simple $var name

$page = $_GET['page'];

// test what is coming into the script

// never trust anything sent to your scripts!

$test = verify($page);

// if the (page test = verify function) returns [0]
// everything is (OK) OK = include page was found
// so include the page from the (GET METHOD)

if ($test == 0) {

include('includes/'.$page.'.php');

} else {

// if the (page test = verify function) returns [1]
// something went wrong > (could be only 2 things)
// 1. bad page name [a-z0-9] only
// 2. include page not found.......
// redirect them, or change and (echo a error!)

header(\"Location: $home/\");

exit;

}

} else {

// we got here because there is no (GET METHOD $var ['page'])
// redirect them, or change and (echo a error!)

header(\"Location: $home/\");

exit;

}

// the function to verify the request from the users browser!

function verify($page) {

$test = 0;

// path to the includes directory

$dir = \"some_directory/on/your/server/to/includes\";

$check = \"\".$page.\".php\";

// change this to what you will allow in your include page names

if(!preg_match(\"/^[a-z0-9]+$/i\", $page)) { 

$test = 1;

} else {

$test = 1;

$handle=opendir($dir); 

while (($file = readdir($handle))!== false){ 

if ($file != \".\" && $file != \"..\" && $file != \".htaccess\") {

if ($file == $check) {

$test = 0;

}

}

}

closedir($handle);

}

return $test;

}
?>

Renegade — Sun, 22 Dec 2002 08:04:38 +0000

Quote: Originally posted by Mark Hensler
and beware... there is NO security in the above code.

Consider the following:
your_page.php?page=../.htaccess

How would get aroun that?