1

I'm having a little problem. I want to securely include files based on the $_GET Parameter from a subdirectory + handle if the parameter is not valid.

 <?php
if(isset($_GET['p']) && $_GET['p'] == 'fahrzeuge'){
        include 'includes/cars.php';
    }
  if(isset($_GET['p']) && $_GET['p'] == 'impressum'){
        include 'includes/impressum.php';
    }
    if(isset($_GET['p']) && $_GET['p'] == 'home'){
            include 'includes/home.php';
        }
      if(isset($_GET['p']) && $_GET['p'] == 'anfahrt'){
            include 'includes/anfahrt.php';
        }
        if(isset($_GET['p']) && $_GET['p'] == 'about'){
                include 'includes/about.php';
            }

?>

This is my Code. Sorry I know it is a noob way of solving this. How can I improve it? Any Suggestions/Help would be highly appreciated

Improve this question

2 Answers 2

Reset to default
3

Set an array of legit pages. Check once if $_GET['p'] is set and if so assign its value (after escaping it) to a variable $p.

Then check if the requested page ($p) is defined in your pages array, if so - include it.

$pages = array('about','contact','home');

$p = 'home'; //Default page
if(isset($_GET['p'])) {
  $p = $_GET['p']; //no need to escape as we compare it to predefined values as @Yoshi suggested
} 

if(in_array($p, $pages)){
  include 'includes/'.$p.'.php';
} else {
   include 'includes/home.php';
}
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks for the fast reply. I will test it and accept your question if it works. Or in case it doesn't work the way I want. I will let you know or ask you
Sure, no problem. Update me.
Is it actually necessary to do htmlspecialchars() AND check against an array? If $p contains special characters, it just won't load anything because the value wouldn't be in the array. If it's a page name, it has to be a file name, which means that there shouldn't be any special characters anyways except I guess maybe a space
Hey, it does work + but I also want to handle if a user is trying to modify the parameter. In this case the page includes nothing and looks horrible, thus I want to include the home page. I'm afraid it's something really simple :P
Don't escape p, just use it as the array key, and the value to include the page.
|
1

I would use a ternary to set a variable that tells the page what to include.

This is very similar to Ofir Baruch's answer, except much shorter.

$pages = array('about','contact','home');

$p = isset($_GET['p']) && in_array($_GET['p'], $pages)? $_GET['p'] : 'home';
include "includes/{$p}.php";

Basically, you have an array of pages that are possible. In the ternary, we check if $_GET['p'] is set (isset()), AND we check if the value it contains is in the array. If it is, we use $_GET['p'] as $p, if it is not, we set $p to home, this means that home will always be the default if $_GET['p'] is not set, or not a valid page as per the array.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.