php - filter/sanitize QUERY_STRING with REGEX to prevent RFI attack

i would like to have a REGEX to filter/match the QUERY_STRING whenever contains the parameters like theese php|data|ftp|http|..|/|:// and any other character that can be used for Remote File Inclusion.

Thank's to all for the time:

PS: i know this is better done with htaccess but开发者_如何学运维 i need a regex now.

Don't, if that's your security, it's likely to break. Whitelist and/or check for existance of local files before including/requiring anything. Better yet: don't let anyone have any direct influence of what files you include with outside variables.

If you want to prevent remote file inclusion, you could simply disable the stream wrappers, e.g.

• allow_url_include - this option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once().

and for any other URL aware functions

• disable allow_url_fopen - This option enables the URL-aware fopen wrappers that enable accessing URL object like files

If you want to check if the query param is a URL, you can use parse_url

if (parse_url($url) === FALSE) {

or use the filter_* functions

if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {