Is this secure including? Or is it possible to use some RFI/LFI or what’s

Question

0

Asked: June 3, 20262026-06-03T06:33:22+00:00 2026-06-03T06:33:22+00:00

Is this secure including? Or is it possible to use some RFI/LFI or what’s

0

Is this secure including? Or is it possible to use some RFI/LFI or what’s it called?

$request_uri = explode('/', $_SERVER['REQUEST_URI']);
$script_name = explode('/', $_SERVER['SCRIPT_NAME']);

for ($i = 0; $i < sizeof($script_name); $i++) {
    if ($request_uri[$i] == $script_name[$i])
    {
        unset($request_uri[$i]);
    }
}

$command = array_values($request_uri);

if (file_exists('controllers/' . $command[0] . '.php')) {
    include 'controllers/' . $command[0] . '.php';
}

update:

if (isset($_GET['p'])) {
    $pages = array('home', 'login', 'register');
    $page = filter_var($_GET['p'], FILTER_SANITIZE_URL);

    if (in_array($page, $pages) && file_exists($page . '.php')) {
        include ($page . '.php');
    } else {
        include ('404.php');
    }  
}
else {
    include ('home.php');
}

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-03T06:33:24+00:00

Editorial Team

2026-06-03T06:33:24+00:00Added an answer on June 3, 2026 at 6:33 am

Your code feeds any arbitrary string provided by the user to PHP’s include; this is bad and pretty much a textbook example of https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection

What problem are you trying to solve that requires this?

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is this secure including? Or is it possible to use some RFI/LFI or what’s

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply