Pass value via $ _GET in include_once [closed]

1

I need to pass a value to a page that is in include_once , but I do not know how to solve it:

The code I'm using for includes is in the main directory:

<?php
            if (isset($_GET["p"])){
                if (file_exists($_GET["p"])){
                    include_once($_GET["p"]);
                } else {
                    include_once("main.php");
                }
            } else {
                include_once("main.php");
            }
?>

And the page I want to call via $ _GET is inside the / includes / users / directory.

The code below does not redirect to page edit.php only reload main.php .

echo "<td><a class='uk-button' href='index.php?p=includes/users/edit.php?id=$id'><i class='uk-icon-cog'></i> Edit</a>
                        <a class='uk-button uk-button-danger' href='#'><i class='uk-icon-trash'></i> Delete</a></td>";

What I can not do is that the edit.php page is loaded inside the include when it has parameter ex: index.php?p=includes/users/edit.php?id=25 . Without parameter the page edit.php loads normally.

I guess I should add something to the include code, but I have not found the solution yet.

    
asked by anonymous 12.12.2014 / 18:15

2 answers

2

Your code allows for serious security breaches by allowing the user to freely view any file on the server.

I recommend trying something like this:

<?php
$page = 'main.php';

if (isset($_GET["p"])){
  switch($_GET["p"]){
    case '1':
      $page = 'conteudo.php';
      break;
    case '2':
      $page = 'edit.php';
      break;
  }
}

require_once($page);
?>

The solution is still bad, but it already provides a higher level of security for the application.

Explaining the problem

Imagine that you have a configuration file with the data to access the database, this file is called example.config;

What would happen if the user passed his code to the code like this: ?p=exemplo.config ??

Your code would include the configuration file and would display the contents of the file in the user's browser.

    
12.12.2014 / 18:29
2
The problem is that querystrings are key = value pairs, and the values for each key are all the characters between the equal sign and the multi-argument connector (&), if there is more of one, or the end of the string.

If you debug $ _GET ['p'] within isset () you will see that what is coming is not edit.php and yes edit .php? id = 1

Just swap the second question mark over the multi-pair connective (&) that will work.

But I still have a caveat of what you tried to do in this code is extremely dangerous because you could allow this to happen:

arquvo.php?var=http://www.outrosite.com/script_malicioso.php

And your program would run without question.

The worst thing to do when working with querystrings is to know previously the possible values for this variable that will be considered as a file to include and use a known path for you.

There are several ways, but the simplest of all is with N conditionals:

if( $_GET['var'] == 'contato' ) {

    $arquivo = 'contato.php';

} else if( $_GET['var'] == 'empresa' ) {

    $arquivo = 'empresa.php';

} else {

    $arquivo = 'main.php';
}

include_once $arquivo;

You can use switches that will make the code relatively larger, but a bit more robust or arrays that will make everything pretty small at a cost of perfomrance.     

12.12.2014 / 18:24