stackoom
  简体   繁体   中英

include file using array in php

 原文  2014-07-08 18:24:19       php

Question

I have two files to be included in the index.php. One is config.php and the other is db.php. I used 

<?php include 'config.php'
include 'db.php' ?>

Tested on a vulnerability scanner rips. It says Userinput reaches sensitive sink. include include ('config.php'). Proof of concept /index.php?file=../../../../../../../etc/passwd.

The suggestion is 

$files = array("index.php", "main.php");  
if(!in_array($_GET["file"], $ files)) exit;

Can you anyone please explain how to add config.php and db.php according the suggestion above?. I have both my files in an include folder.

Can anyone have look at http://cxsecurity.com/issue/WLB-2011040079 .

1 answers

solution1
 0  2014-07-08 21:09:05

The suggestion you received is that you hard-code a list of valid values for $_GET['file'] and then check user input against that list. If you'd like to allow additional files, simply add them to the list: 

$files = array("index.php","main.php","config.php","db.php");

I'm not sure if this will help you pass whatever vulnerability test you are running, but it will ensure that only files you deliberately list will be included.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php include file in array Could not include file using PHP php how to include multi array out of an file PHP include external file and make an Array PHP include array-content from file Include array from text file in PHP script Using PHP include to include a file with it's own included file Using Include Files with PHP Associative Array Dynamically include css or Js file using php Using “include” to put CSS into PHP file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM