I have the common used function php get to include a file and display it as a page like this
index.php?F=contact
<?php
$file=$_GET['F'];
include('the_files/'.$file.'.php');
?>
This will display file contact.php
Because of security I want to filter the
$file=$_GET['F'];
with some kind of code so only text without simbols without slashes will get in the INCLUDE
I tried with
<?php
$clean_file=mysqli_real_escape_string($clean_file,$_GET['F']);
include('the_files/'.$clean.'.php');
?>
But it seems like this is only to clean MySQLi...
Any idea how to do that?
Try:
$file = preg_replace('/[^a-z_\-]/i', '', $_GET['F']);
Of course, I would just run a test and send them to IC3, if they're trying to hack your page.
You're right it's really tricky to allow the user to control which script gets executed. I would go further than just sanitizing the input. Instead, I would analyze the full path and make sure it's within the allowed directory.
// path to include files, relative to the document root
const INCLUDE_DIR = '/the_files/';
$file = $_GET['F'];
// resolve the real path (after resolving ../ and ./)
$fileFullPath = realpath(INCLUDE_DIR . $file);
// if file doesn't exist
if($fileFullPath === false ||
// or the file is not in INCLUDE_DIR
str_replace($file,'',$fileFullPath) != $_SERVER['DOCUMENT_ROOT'] . INCLUDE_DIR
):
http_response_code(404); // 404 Not Found error
exit;
endif;
// here we know that the file exists and is in INCLUDE_DIR
include $fileFullPath;
You can do the following:
Make a Whitelist like this and check if the Parameter-Value is in the Whitelist or not.
$whitelist = array('aaa', 'bbb', 'ccc');
if(in_array($_GET['page'], $whitelist)){
include($_GET['page'].'.php');
}else{
include('default.php');
}
Or check, if the File exists, if all possible Values are Filenames
$file = preg_replace('/[^a-z]/', '', $_GET['page']).'.php'; // remove all non-a-z-Characters
if(file_exists($file)){
include($file);
}else{
include('default.php');
}
Use this function
$file = mysql_prep($_GET['f']);
function mysql_prep( $value ) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
if( $new_enough_php ) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active ) { $value = stripslashes( $value ); }
$value = mysql_real_escape_string( $value );
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if( !$magic_quotes_active ) { $value = addslashes( $value ); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}