im making a small site
And Instead of having a header.php and a footer.php with neccesarry info (functions,dbconnection, html head) and include on every page I'd like to have it all in index.php. But then I have to add pages to an whitelist and all this. I'd just like to be able to drop it in pages/ and then access it with index.php?page=test
H开发者_开发知识库ow would I include pages without having to make a big whitelist? How about using preg_match and checcking that page variable only contain a-z. no evil dots. if it only contain letter a-z > include? or maybe use glob and scan pages/, add them to array so i dont have to edit index.php every time
please tell me your thoughts and ideas
<html>
<head>
<title>SindACC</title>
</head>
<body>
<?php include($page) ?>
</body>
</html>
If you don't want to use a whitelist, use basename
on the $page
variable to eliminate any parent dir exploit, then include the file in the pages/
directory. As long as you don't put files which should not be seen in that directory, you're fine.
Just put all your pages in a folder (say "/pages"). Then before you do the include you check to see if the file exists in the pages folder.
I'd definitely do the regex checking or even just flat-out santize (strip anything not alpha-numeric for example) then you can do a file_exists() check and if that succeeds, then include
Have a directory for pages, clean invalid characters out of the page path, and only include files from the pages directory. I think you have the right idea.
Like the others said, make sure you sanitize the variable. Here is one possible way, but theres like 20 ways you could do this:
function sanitizeAlpha($string)
{
if (preg_match_all('/([A-Z]|[a-z]/', $string, $matches) > 0)
{
return implode($matches[0]);
} else {
die('Invalid Page Name');
}
}
精彩评论