|
|
Posted by J.O. Aho on 08/10/05 17:34
juglesh wrote:
> please comment on the following methods of preventing cross site
> scripting and/or other nastiness:
>
> 1:
> $pages = array('home','contact','about','links' );
> // could also build this array with readdir('MySafeDir') ??
> if( in_array($_GET['page'], $pages) )
> { include $_GET['page'].".php";}
> else {die("Nice Try."); }
>
> 2:
> include "my_prefix_".$_GET['page'].".php";
>
> 3:
> include "my_safe_dir/".$_GET['page'].".php";
>
> 4:
> include_path=".:/myIncludes";
> include $_GET['page'].".php";
>
You should see to remove all '..' from the paths, otherwise people could
navigate outside your secure directory.
The best IMHO is to use aliases for pages, and you hard code what the alias
mean, this way it will difficult to get the php script to display something
else than those pages you want.
//Aho
Navigation:
[Reply to this message]
|