开发者

Check referrer?

I am having a problem. I have this code:

$theUrl = $_GET["url"];
include("$theUrl.php");

This gets the url, for example: http://mywebsite.com/index.php?url=test

But what if someone puts in:

http://mywebsite.com/index.php?url=http://theirwebsite.com/someEvilscript

How to avoid this? I want only scripts that 开发者_如何学编程i have on my server to be executed and not from other websites. Thanks for help.


One of the good way to handle this is to define a white list of file that can be included. If anything isn't in that list, it should be considered evil and never included.

For example :

<?php
$allowed = array('file1', 'file2', 'file3');

if (in_array($_GET["url"], $allowed)) {
    // You can include
} else {
   // Error message and dont include
}
?>

Note : As suggested in the comment, the allowed list can be populated dynamically by scanning allowed directory.


You really shouldn't have any code that looks like that. And I mean really. What are you trying to achieve with this? I'm sure there's another way to the same without the risks (and let's say general uglyness).

Like HoLyVieR suggests, whitelisting what can be included is the key to making your current code safe.


Why don't you just create test.php on your site, and use http://mywebsite.com/test.php in the link? This way you can include your initialization script in test.php (and in the other scripts) if needed.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜