开发者

index get var include

开发者 https://www.devze.com 2022-12-15 20:27 出处:网络
im making a small site And Instead of having a header.php and a footer.php with neccesarry info (functions,dbconnection, html head) and include on every page I\'d like to have it all in index.php. Bu

im making a small site

And Instead of having a header.php and a footer.php with neccesarry info (functions,dbconnection, html head) and include on every page I'd like to have it all in index.php. But then I have to add pages to an whitelist and all this. I'd just like to be able to drop it in pages/ and then access it with index.php?page=test

H开发者_开发知识库ow would I include pages without having to make a big whitelist? How about using preg_match and checcking that page variable only contain a-z. no evil dots. if it only contain letter a-z > include? or maybe use glob and scan pages/, add them to array so i dont have to edit index.php every time

please tell me your thoughts and ideas

<html>
<head>
<title>SindACC</title>
</head>
<body>

<?php include($page) ?>

</body>
</html>


If you don't want to use a whitelist, use basename on the $page variable to eliminate any parent dir exploit, then include the file in the pages/ directory. As long as you don't put files which should not be seen in that directory, you're fine.


Just put all your pages in a folder (say "/pages"). Then before you do the include you check to see if the file exists in the pages folder.


I'd definitely do the regex checking or even just flat-out santize (strip anything not alpha-numeric for example) then you can do a file_exists() check and if that succeeds, then include


Have a directory for pages, clean invalid characters out of the page path, and only include files from the pages directory. I think you have the right idea.


Like the others said, make sure you sanitize the variable. Here is one possible way, but theres like 20 ways you could do this:

function sanitizeAlpha($string)
{
    if (preg_match_all('/([A-Z]|[a-z]/', $string, $matches) > 0)
    {
        return implode($matches[0]);
    } else {
        die('Invalid Page Name');
    }
}
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号