来自 $_GET 的安全动态包含 [英] Safe dynamic include from $_GET

问题描述

这是从 $_GET 参数中包含页面的安全方法吗:

Is this a safe way to include pages from a $_GET parameter:

$pg = basename($_GET['pg']);
if (is_file('views/' . $pg . '.php')) {
  require 'views/' . $pg . '.php';
}

我使用 basename() 清理参数，所有可能包含的文件都在views/"子目录中.看起来很安全，但我想确定一下.

I sanitize the parameter using basename() and all the possible files for including are in a "views/" subdirectory. It seems safe, but I want to be sure.

我想这样做的原因是因为我目前使用 mod_rewrite 来定义我的所有 URL，但我想要一个单一的入口点，我宁愿继续以这种方式定义它们而不是使用路由器.所以我有这样的规则:

The reason I want to do this, is because I currently use mod_rewrite to define all my URLs, but I want a single point of entry and I'd rather keep defining them that way than use a router. So I'd have a rule like this:

RewriteRule ^item/(\d+)/?$ index.php?pg=item&id=$1 [L, NC]

我的 index.php 看起来像这样:

And my index.php would look like this:

ob_start();

$pg = basename($_GET['pg']);
if (is_file('views/' . $pg . '.php')) {
  require 'views/' . $pg . '.php';
}

$content = ob_get_clean();

require 'template.php';

有什么意见吗?谢谢.

推荐答案

明智的想法是使用可以包含的白名单文件编写自己的数组.之后，通过 in_array()

Wise idea is to write your own array with whitelisted files that can be included. After that, check your $_GET['pg'] against array via in_array()

这篇关于来自 $_GET 的安全动态包含的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！