Now I’m wondering if is is safe to require files with only require($path) .

Question

0

Asked: June 11, 20262026-06-11T13:44:40+00:00 2026-06-11T13:44:40+00:00

Now I’m wondering if is is safe to require files with only require($path) .

0

Now I’m wondering if is is safe to require files with only require($path).

For just simpliest example:
I have some form field folder and name. So when I do require($somepath.'/'.$folder.'/'.$name.'.php') it can be easily relocated with inputing ‘../../admin/or/else/things/’.

It is simple example, but there are (i expect so) many other ways to relocate $path.

So the question is:
– provide checks of incoming path?
– if yes.. so how do it correctly?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-11T13:44:41+00:00

If you want to require another file, based on user input, you should validate the folder and name fields very carefully. You don’t want users to require their own files (maybe a file they just uploaded) or any other nasties.

Ideally, you should create a list of acceptable values, like so:

$allowedIncludes = array('a/foo.php', 'b/bar.php'); // etc

Then you can just check whether the combination of name and folder fields they provided is valid:

if(false !== array_search("$folder/$name", $allowedIncludes) {
  // OK
  // require ...;
} else {
  // not ok
}

But again, be very careful when allowing users to do things like this. You do not want to allow people to execute arbitrary code on your machine.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Now I’m wondering if is is safe to require files with only require($path) .

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply