Include security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Code:

=========

ob_start();
switch ($this->command)
{
       case 'include':
               @include($x);
               break;
       default:
               @readfile($x);
}
$data = ob_get_contents();
ob_end_clean();

=========

The above code snippet is used in a class which would allow developers
(of a specific CMS) to include files without having to put php include
tags on the template view.

The include path will be using the server root path, and the include
files will probably be stored above the web root.

My question:

What would be the best way to "clean" and secure the include string?

Maybe something along these lines (untested):

$invalidChars=array(".","\\","\"",";"); // things to remove.
$include_file = strtok($include_file,'?'); // No need for query string.
$include_file=str_replace($invalidChars,"",$include_file);

What about checking to make sure the include path is root relative,
vs. http://...?

What do ya'll think? Any suggestions?

Many thanks in advance!

Cheers,
Micky

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux