Comments on: Sanitized PHP Include Navigation through GET variable

By: usernamedenied

usernamedenied — Fri, 03 Apr 2009 06:10:05 +0000

Hi, sure I will post an updated example soon.
It might take a while because I’m currently doing an internship.

Thanks for the interest.

By: Andrew

Andrew — Fri, 03 Apr 2009 05:29:02 +0000

care to post an updated example?

By: usernamedenied

usernamedenied — Fri, 20 Feb 2009 15:11:18 +0000

Parkinm, thanks I have evolved my skills quite a bit. This example makes me laugh Thanks

By: parkinm

parkinm — Thu, 19 Feb 2009 23:20:36 +0000

no need for you to do the str replace in this example, and it isnt worth checking file_exist either (because if you added it to safe array it must exist right? )

however you should be checking that the get variable exists before you index it!

so I would say the code is:

if ( ! isset($_GET['page']) and ! in_array($_GET['page'], $allowed))
{
die;
}

include $_GET['page'];

By: usernamedenied

usernamedenied — Thu, 04 Dec 2008 21:35:44 +0000

^_^ Don’t worry, I think most of us learnt it the hard way. Error is human.. Anyone got more bad experiences?

By: Dave

Dave — Sat, 20 Sep 2008 11:17:20 +0000

Great article. I had this problem with some sites I built before – and I didn’t take the time to sanitize (I KNOW I KNOW!). I’ve had to learn the hard way. Instead of including files, one of my clients has a backend system where they can modify each page – so the request pulls up a database entry rather than a page – but this worked out for that just the same. I just pulled every page in the DB and only authorize those. I also put in a little “unauthorized_requests” log for logging whenever someone is tampering or just stumbles on the wrong page. Great site!

By: Bert

Bert — Sun, 31 Aug 2008 15:58:46 +0000

Jolly good show of spelling out an important concept.