Home/ Questions/Q 7048571
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T02:54:29+00:00

If I have this index: if (isset($_GET[‘se’])) { $se= $_GET[‘se’]; if (file_exists({$se}.php)){ require({$se}.php); }

  • 0

If I have this index:

if (isset($_GET['se'])) {
    $se= $_GET['se'];

    if (file_exists("{$se}.php")){
        require("{$se}.php");
    }
    else {
        require("page_error.php");
    }
}
else {
    require("page_error.php");
}

A link like the following doesn’t work:

$pwrurl = "http://example.com/login/?se=change_password?usermail=".$email."&usercode=".$linkHash;

Only something like: http://example.com/login/?se=change_password will be accepted.

Can this be solved?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Beware!

    Letting the user decide which file to include without any validation will introduce a vulnerability to your server. They could point your script to any sensitive file.

    You should limit the possibilities of what can be included, like this:

    $allowed_files = array(
    "page_error",
    "some_section",
    "some_other_section",
    "change_password"
    );

$se = empty($_GET['se']) ? "page_error" : $_GET['se'] ; // "page_error" by default.

if (in_array($se, $allowed_files)){
    require("{$se}.php");
} else {
    require("page_error.php");
}

    This way they can only read the files you put in the array.

    Edit: Also, just like everyone else said, you should separate different param=argument pairs in the URL with & instead of ?. The ? is used to separate the page name from the argument list.

    http://example.com/login/?se=change_password&usermail=...
    • 0