Safe dynamic include from $_GET_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-10 04:47 出处：网络

Is this a safe way to include pages from a $_GET parameter: $pg = basename($_GET[\'pg\']); if (is_file(\'views/\' . $pg . \'.php\')) {

相关专题：php security

Is this a safe way to include pages from a $_GET parameter:

$pg = basename($_GET['pg']);
if (is_file('views/' . $pg . '.php')) {
  require 'views/' . $pg . '.php';
}

I sanitize the parameter using basename() and all the possible files for including are in a "views/" subdirectory. It seems safe, but I want to be sure.

The reason I want to do this, is because I currently use mod_rewrite to define all my URLs, bu开发者_高级运维t I want a single point of entry and I'd rather keep defining them that way than use a router. So I'd have a rule like this:

RewriteRule ^item/(\d+)/?$ index.php?pg=item&id=$1 [L, NC]

And my index.php would look like this:

ob_start();

$pg = basename($_GET['pg']);
if (is_file('views/' . $pg . '.php')) {
  require 'views/' . $pg . '.php';
}

$content = ob_get_clean();

require 'template.php';

Any opinions? Thanks.

Wise idea is to write your own array with whitelisted files that can be included. After that, check your $_GET['pg'] against array via in_array()