addslashes for input validation

phaethon

I am currently doing a security review of a PHP web application. It uses commands like this (language is being submitted as get parameter):

$language=addslashes($language);
include('/var/pathtodir/$language/index.html

I see that hacker could include index.html file from any path location. But can he include ANY file?

Thanks in advance,

phaethon

It is usually mentioned that addslashes is used for database queries not for security. What are potential security issues with addslashes and what should be used instead of it?

jayant

looking fro safest way

use switch statement to check

switch($language) {

case "English": case "French": case "Lang3": ....
break;
default:
die("boo boo. no hax0ring around :p ");
}

give all valid languages in there.