Home/ Questions/Q 9321051
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-19T03:46:44+00:00

basically what i want to do is: include($_SERVER[‘REQUEST_URI’]); Problem is, that this is not

  • 0

basically what i want to do is:

include($_SERVER['REQUEST_URI']);

Problem is, that this is not safe.
It would be safe, if it would point to "/allowed/directory/" or it’s subdirectories.
So i test for that with startsWith(“/allowed/directory/”).

However I’m still afraid of something like:

"allowed/directory/../../bad/directory"

Is there a way to check whether a string points to a specific directory or one of it’s
subdirectories in php?

(Basically apply all the /../ – or am i missing another security flaw?)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Once you’ve determined the prefix is correct, you can use preg_match like this:

    if(preg_match("#^[A-Za-z0-9/]+#", $string) {
    // correct
}
else {
    // incorrect
}

    The variable part you’re checking (non-static part) you typically want to be just alpha numeric.

    As long as you’re using include to include local PHP fils and properly validate your input (keeping that input simple) you should be fine. Just be extremely careful and test things throughly. You typically want to avoid passing user input into sensitive functions such as include. But with a framework, it’s sometimes difficult to avoid that.

    Another thing you could do is have a list of valid inputs to do an exact comparison. You could have this in an ini file and load it with parse_ini_file. This is usually the safest thing to do, just a little more work. You can also use a PHP file with an array, which works better with APC.

    • 0