Jump to content

Dynamic Include Files and Security/Performance


samtwilliams

Recommended Posts

Hi All,

 

I have written the following to validate my dynamic includes, one question is i will be using sessions to control user access to certain pages. Obviously the session_start() has to go into my index.php file. Can anyone see any problems with this or my dynamic include validation code. My page varilable is populated using the mod_rewirte function in appache.

 

<?PHP 
include('inc/settings.inc.php');
if(isset($_GET['page'])) {
//remove slashes
$page = stripslashes($_GET['page']);
//rebuild the extension and file name
		$filename = 'lib/'.$page.'.php';
		//Check to see if the file exists in lib
	if (file_exists($filename)) {
		//Dynamic Switch
	$allowed =	array( 	array("test", "New Customers"),
						array("home", "Home Page"),
				);
		$iffed = false;
		$get_section = $_GET['page'];
		//Create a dynamic switch to check for files being in my allowed array
			foreach($allowed as $rd) {
					if($get_section == $rd[0]) {
					$iffed = $rd;
					$content = $filename;
					foreach($rd as $value) {
						$page_title = $value;
					}						
				}
			}
		if($iffed === false) {
		//File is not in my include list.
			die( "Page does not pass the validated inclusion list." );
		}		
	} else {
	//Page does not exist in my lib folder.
		die('Page does not exist, please contact the administrator.');
	}
} else {
// If no page is requested then default home.
$filename = 'lib/home.php';
$content = '1';
$page_title = 'Home';
}
?>

 

Thanks in advance.

 

Sam

Link to comment
Share on other sites

I might not be completely understanding what you're doing with the foreach loops inside a foreach loop - but I would think you could accomplish the same security check by using the in_array() function instead. somthing like:

 

<?php
$page = "my-page";
$allowed = array("my-page","some-other-page","etc...");
if(!in_array($page,$allowed)){
exit("You do not have permission to view this page!");
}
?>

Link to comment
Share on other sites

I would personally try not to use $_GET and file names to include files. You can open yourself up to a whole mess of security issues and this has been the main way that people can get inside information about your machine - provided that you aren't using PHP's security features like open_basedir() or PHP Safe Mode.  The best thing to do would be to write a map of files to an ID or something and pass that ID into the $_GET and match it to a hard set of values in your database or an array or some sort.

 

Don't get me wrong, your method will work, but may cause security issues.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.