Template security : To switch or not to switch? [Archive]

Click to See Complete Forum and Search --> : Template security : To switch or not to switch?

mhulse

12-06-2004, 01:32 AM

TITLE: Template security : To switch or not to switch?

Hi fellow PHP'ers!

I am using a switch/case statement on my main index/template page for tighter security (code snippet below)...

What would be a better alternative to the below switch statement? Can I write something more compact? I would like to avoid having to add every page to the statement... anyone out there have better techniques/alternatives? I would love to know of a more modular/compact way that also keeps security tight/tighter... I am planning on writing a photo gal that targets multiple variables on main template page (a possible example: somePage.php?pageHolder1=somePage&pageHolder2=anotherPage&pageHolder3=someImage, and using below code, I would have to add all if I want to get it to work... Ugh...:

<?php

if (!isset($_GET["display"])) {
$_GET["display"] = "home";
}

# Include the menu:
include($_SERVER['DOCUMENT_ROOT'].'/folio/inc/nav.inc.php');

# Figure out which page contents to display:
switch($_GET["display"]) {

// Home:
case "home":
include($_SERVER['DOCUMENT_ROOT']."/folio/gutz/home_gutz.php");
break;

// About:
case "about":
include($_SERVER['DOCUMENT_ROOT']."/folio/gutz/about_gutz.php");
break;

// Work:
case "work":
include($_SERVER['DOCUMENT_ROOT']."/folio/gutz/work_gutz.php");
break;

// Page default (404):
default:
include($_SERVER['DOCUMENT_ROOT']."/folio/gutz/error_gutz.php");
break;

} // End switch.

?>

Hopefully I am making sense... please help. :)

Thanks a billion peeps, I appreciate any help you could send my way.

Cheers
Micky

tsinka

12-06-2004, 08:00 AM

Hi,

something like this might be easier:

<?php
$validPages = array("home","about","work");

if (isset($_GET["display"])) {
$page = $_GET["display"];
} else {
$page = "home";
}

// Include the menu:
include($_SERVER['DOCUMENT_ROOT'].'/folio/inc/nav.inc.php');

if (in_array($page,$validPages)) {
include $_SERVER['DOCUMENT_ROOT'].'/folio/gutz/'.$page.'_gutz.php';
} else {
include $_SERVER['DOCUMENT_ROOT'].'/folio/gutz/error_gutz.php';
}
?>

Just add any valid page to the array on top of the script and you're done.

Thomas

mhulse

12-07-2004, 05:00 PM

Great! Thanks for the help tsinka! I really appreciate it!

Here is my adaptation to your code, let me know if you see anything funky... PHP security is something I am just now starting to concentrate on:

<?php

$valid_pages = array(); // Declare $validPages as array (Good practice).
$valid_pages = array('home', 'about', 'work'); // Put valid pages into array for inclusion.

if(isset($_GET['display'])) {
$page = $_GET['display'];
} else {
$page = 'home';
}

// Include the menu:
include($_SERVER['DOCUMENT_ROOT'].'/folio/inc/nav.inc.php');

if(eregi('^[a-z0-9\-_\.]+$', $page, $regs)) { // Make sure $page is alphanumeric.
$dir = 'gutz/'; //not strictly necessary, can be blank.
$name = '_gutz';
$ext = '.php'; //.php, .html, .txt, whatever

if(file_exists($dir.$page.$name.$ext)) {
if(in_array($page, $valid_pages)) {
include($_SERVER['DOCUMENT_ROOT'].'/folio/gutz/'.$page.'_gutz.php');
} else {
include($_SERVER['DOCUMENT_ROOT'].'/folio/gutz/error_gutz.php');
}
} else { echo '404 - Not Found'; } // Or something similar.
} else { echo 'Naughty Naughty, very Naughty.'; }

?>