On 16 April 2010 06:57, Micky Hulse <mickyhulse.li...@gmail.com> wrote:

> Hi,
> -snip-
> The above code snippet is used in a class which would allow developers
> (of a specific CMS) to include files without having to put php include
> tags on the template view.
> The include path will be using the server root path, and the include
> files will probably be stored above the web root.
> My question:
> What would be the best way to "clean" and secure the include string?
> Maybe something along these lines (untested):
> $invalidChars=array(".","\\","\"",";"); // things to remove.
> $include_file = strtok($include_file,'?'); // No need for query string.
> $include_file=str_replace($invalidChars,"",$include_file);
> What about checking to make sure the include path is root relative,
> vs. http://...?
> What do ya'll think? Any suggestions?
> Many thanks in advance!
> Cheers,
> Micky
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

It depends. What's exactly do you want to prevent? It doesn't seem like a
very big problem if someone tries to include an improper adderss or
nonexistent file, since that would simply make $data an empty string
(depending on your level of error reporting and whether you display or hide
warnings). If the included file decides to call ob_get_clean() or something
like that $data will be false. I can't think of what else you realistically
want to prevent.

Building a page with multiple templates is best done by using a good
template class. Allowing the inclusion of external PHP files from a CMS will
pose a risk if non-developers have access to the CMS as well. You're
basically allowing anyone to add (potentially untested) code to a live site
and I would recommend against doing it. If you want people to be able to
include, say, additional HTML content, use file_get_contents() instead.


Reply via email to