Is it possible to sanitise an include before it is executed to make sure that it exists on the server?
I want to avoid attackers compromising the file path using some sort of whitelist, is this possible?
My include looks like this:
Answer:
I want to avoid attackers compromising the file path using some sort of whitelist, is this possible?
My include looks like this:
require_once('../includes/front/header.php');
Answer:
How could the path be compromised? (Unless your
require_once contains user input - avoid this!)
You could just check if the file exists using
file_exists:
eg.
if(file_exists('../includes/front/header.php')) {
require_once('../includes/front/headers.php');
}
If you did want a whitelist though you could just create an
array of allowed path/filenames and then just use in_array to check its validity.
No comments:
Post a Comment