Different aproach on including files in PHP

Posted July 9, 2008
Filed under: (in)secure - code | Tags: , , , , , , |

A couple of days/weeks ago (don’t quite remember well) I came across Savride’s blog, where also I stumbled upon the following article Secure PHP variables $_GET, $_POST – wrapper function which was kinda hard to digest at first… to much obfuscated code in one place… it’s ok if it works for him, but for file inclusion I would rather have a different approach, a more lightweight one… instead of doing all that input verification and what more there is I use the following code… more readable, and as secure as his…

<?php
$files = array(”error.php”, “news.php”, “blog.php”, “download.php”);
$index = (int) $_GET["file"];
if($index>=count($files)) {
   include($files[0]);
}
else {
   include($file[$index]);
}
?>

Just as simple as that… could save a lot of effort to prevent rfi/lfi… won’t you agree?… It’s the developers choice here… I always try to find way to minimize my code while keeping it safe also….
Expecting just the expected -> http://www.0×000000.com/

Possibly related posts: (automatically generated)

2 comments so far

  1. savride on July 10, 2008

    That way Your code is just for simple file includes and my IS NOT.

    Reply
  2. dblackshell on July 11, 2008

    yes, but I saw more importance in the wrapper as a lfi/rfi protection, cause for the other cases I see more use in other functions (built-in)… rather than doing regexp for everything…

    Reply

Leave a reply