Securing PHP?

Hikari

I want to have a basic templateish system where I can just specify ?p=<page> and it will include it, this is basically what I'm using now:

<?
if (!$_REQUEST['p']) {
	$p = 'main';
} else {
	$p = $_REQUEST['p'];
}
?>

----snip-----

<? require("$p.inc.php"); ?>

I'm worried that someone might be able to abuse it to include stuff that I don't want them to (by using .. or whatever, executing commands with ``). Is there a standard method used to secure scripts like that?
Thanks for your help.

procoder

You should use $_GET instead first of all.

Somone could possibletahpe in p=../../ and access vauble info, I suggest adding a check to replace "/" with nothing

Hikari

Thanks, but whats the diffrence between REQUEST and GET?

procoder

Heres the info I can get

An associative array consisting of the contents of $GET, $POST, and $_COOKIE.

Youd rather look through a bigger list or a more defined list? Its proper and shorter 🙂

tbach2

You're absolutely right to not trust user input. You have to plan as if every user variable contains something evil.

There are several ways you can deal with it:

decouple values. set up something like this...

switch($evil_variable) {
    case 'red':    //do something
                   break;
    case 'white':  //do something else
                   break;
    default:       // do default action
}

pass numeric data

<?php
$index = (int)($_GET['index'];
// or
$query = sprintf("SELECT * FROM table WHERE id='%d'", $_GET['id']);

use regex to make sure you get only what you expect

preg_match("/^(([a-zA-Z0-9_-]*\.*)*[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)/",$_GET['mail'],$match);
$mail = $match[1];