1

This code have some problem of Security? is a correct way to make a query string ?

I don't usually use this type of code, so my question.

 <?php
    $id = $_REQUEST['id'];
    ?>
    <?
    switch($id) {

        case "principal":
            $pagina = "pag.php";
            break;
        case "perfil":
            $pagina = "secure.php";
            break;

        default:
            $pagina = "home.php";
            break;
    }
    ?>

    <?
    if( (isset($pagina)) and (file_exists($pagina)) ) {
        include($pagina);
    } else {
        echo "Page error";
    }
    ?>
Improve this question
2
  • 1
    require_once is much better practise instead of include and try to use intval if it possible (in your ids) Commented May 5, 2011 at 14:42
  • 2
    disagree with require_once, it takes a little longer than require and if your app is organized correctly you shouldnt need it. Commented May 5, 2011 at 15:02

5 Answers 5

Reset to default
1

If your select statement gets big i'd recommend using arrays:

// array of pages
$paginas = array(
    'principal' => 'pag.php',
    'perfil' => 'secure.php'
);

$id = (int)$_GET['id'];

if ( isset( $paginas[$id] ) && file_exists($paginas[$id]) ) {
    require( $paginas[$id] );
}
else {
    require('home.php');
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The only possible problem is that if you're getting ID from the $_REQUEST, someone could change your query by putting ?id=x in the URL string. It might not matter in your case (tough to say since we don't know the full context of what's going on) but it's a possibility. You could make it a bit more secure by sending the variable to the page via a $_POST, which is hidden to the user.

Improve this answer

Comments

1

An intruder could guess the id from secure.php and access it by entering yourpage.php?id=perfil in his browser...

Improve this answer

1 Comment

if the page is private i will use sessions
0

You have a handler for every situation involving $id so it should be safe. You also don't need this since $pagina will always be set: (isset($pagina))

Improve this answer

Comments

0

I'd add some htmlspecialchars to that. You'll never know what people could try doing!

If you wanted to be "doubley" sure, then you could always do;

filter_var($val, FILTER_SANITIZE_STRING);
Improve this answer

5 Comments

Why would you add htmlspecialchars? It makes no sense in the context of what is being done.
This is true and be getting over zealous with it all. Still, filter_var is always good.
You are familiar with KISS principle? :)
neither of those are necessary and while they might seem like a good practice they waste CPU time (which doesn't matter for small sites, but if it gets large it could) -- you can't break out or inject code into a switch statement expression.
In this case, I agree it's not necessary since he covers his bases with his switch statement.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.