PHP Developers Network
http://forums.devnetwork.net/

Proper Includes via $_GET
http://forums.devnetwork.net/viewtopic.php?f=34&t=36850
Page 2 of 4

Author:  shiflett [ Sun Aug 14, 2005 8:33 pm ]
Post subject: 


Author:  Roja [ Sun Aug 14, 2005 9:05 pm ]
Post subject: 


Author:  shiflett [ Sun Aug 14, 2005 9:09 pm ]
Post subject: 


Author:  nielsene [ Sun Aug 14, 2005 9:57 pm ]
Post subject: 


Author:  nielsene [ Sun Aug 14, 2005 9:58 pm ]
Post subject: 


Author:  shiflett [ Sun Aug 14, 2005 10:07 pm ]
Post subject: 


Author:  nielsene [ Sun Aug 14, 2005 10:13 pm ]
Post subject: 

Yup I've seen that too...

All these little exceptions is why I don't do user-provided includes. If I had to, I'd use the basename function, coupled with a regexp ([-A-Za-z0-9_]), with forced ending (.php or .inc depending on your preference, etc‚). The null-byte, full stops. and slashes wouldn't survive that.

As always, state what you'll accept, not what you'll reject. Its too easy to miss something if you only list the bad stuff.

Author:  Todd_Z [ Sun Aug 14, 2005 11:22 pm ]
Post subject: 

Oh, i see the security holes now. But no - I keep my server as clean as possible.

Author:  timvw [ Mon Aug 15, 2005 10:13 am ]
Post subject: 

can come in quite handy ;)

Author:  juglesh [ Wed Aug 17, 2005 10:02 am ]
Post subject: 


Author:  nielsene [ Wed Aug 17, 2005 12:42 pm ]
Post subject: 

Well the null byte can stop the .php. I'm not sure if an attacker could get a series of ^H control code in to delete the prefix, but that might be possible via some encoding or another.

Author:  DeprecatedDiva [ Sat Aug 20, 2005 7:02 pm ]
Post subject: 


Author:  nielsene [ Sat Aug 20, 2005 7:16 pm ]
Post subject: 

Yes, an explicit list of approved includes is a much more secure starting point. Its still possible to "mess it up" but its generally much safer.

Author:  Jenk [ Mon Oct 10, 2005 8:28 am ]
Post subject: 

Bit of forum Necromancy here, I sometimes use the following:
Syntax: [ Download ] [ Hide ]
<?php

$files = array('main', 'accounts', 'page2', 'blahblah', 'etc');



@include('/path/to/includes/' . $files[intval($_GET['pid'])] '.inc') or include('/path/to/includes/default.php');



?>


on my front controller(s) :)

Author:  Skara [ Mon Oct 10, 2005 8:08 pm ]
Post subject: 

and that has to be the best way I've ever seen. ;)

Page 2 of 4 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/