How do i safely create an include

cayleyv

i had been using this code for creating pages, and it is no good:

www.site.com/index.php?page=mypage

<?php include $page . ".inc";?>

i found the following code, which uses the identical url above:

<? if ($page=='' || !file_exists($page.'.inc')) {
include_once('home.inc');
} else if (file_exists($page.'.inc')) {
include_once($page.'.inc');
}
?>

is the latter code secure against injections or hijacking? are there more checks this code needs?

another option i read about is this:
include realpath(dirname(FILE) . "/" . "relative_path");

im not sure how to implement this however

sincerely,

Rodney_H_

This has been covered MANY, MANY times on the boards here, so do a search of this topic.

The general idea that seems to widely accepted is to put the ACCEPTABLE requests into an array.

Then, when you receive a request for a certain file, IF it is acceptable, meaning that it is in the array of files you can serve to the users, then include it.

If it is a BAD request, either by mistake or done maliciously, you may serve your default page OR an error message, whichever you prefer.

Somthing like this:

<?php
// array of acceptable file request
$files = array('about','contact','order','products');

// default file to include if request is invalid or not set
$default = 'default.php';

if(!isset($_GET['page']) || !in_array($files, $_GET['page']))
{
       include_once($default); 
}
elseif(!file_exists($_GET['page'] . '.php'))
{
       include_once($default); 
}
else 
{
       include_once($_GET['page'] . '.php'); 
}
?>

Just keep in mind that you have to update the array everytime you add a new page, so it is probably best to put it this into a function and include your verification process into everypage, so each page has the same array, and that it is easy to maintain or change when needed...

Clarkey_Boy

Hi,

I was just wondering if someone could PLEASE tell me how you get those vertical lines in the previous post (the ones which mean OR)? Only I found out several weeks ago about what they mean, and I can see them on the key right underneath the escape key on my keyboard - but I have never found out how to get them.

Thanks,

Rodney_H_

edit:

Oh..........

Are you talking about the "tubes" ?

These: ||

You create them by pressing the SHIFT key and the backslash key: [/B]

(Note: The backslash key is above the ENTER key on the right of most keyboards...)

Houdini

It is also just below the backspace key and of course above the enter key on a MS type qwerty keyboard, and most other qwerty keyboards. You could use the word or (OR) to do the same thing.

Clarkey_Boy

Ah ok, thanks. I never would have thought to try shift\ as it shows the same symbol, but with a bit missing half way up, on the backslash key (the symbol is a ¦) - which I made using Alt Gr + the key I was describing earlier. Do these have any special meaning in php?

Drakla

Sometime you might hit across the same problem I did - shift \ didn't make a pipe, or the alt gr thing so I had to ascii the git in every time by holding alt, typing 124 on the keypad and then releasing alt.

Clarkey_Boy

Thats the way my dad told me to do it - but it just annoyed me too much just knowing that I could not figure it out and that I could not find a simpler way.

cayleyv

thank you for the response Rodney H.

Clarkey_Boy

Ah... sorry cayleyv... kinda got a bit off topic - about the "tubes" 'n' all. Will try not to do that again!