如何清理我的include語句？

Question

如何清理此問題，以便用戶無法將頁面拉出本地域外？

<?php 
if(!empty($_GET['page'])) 
{ 
    include($_GET['page']); 
} 
else 
{ 
    include('home.php'); 
} 
?> 

Answer 1

最安全的方法是白名單頁面：

$page = 'home.php'; 

$allowedPages = array('one.php', 'two.php', ...); 

if (!empty($_GET['page']) && in_array($_GET['page'], $allowedPages)) 
    $page = $_GET['page']; 

include $page; 

Answer 2

 

// get the absolute file name of the page we want to see 
$page = realpath($_GET['page']); 

// get the directory in which pages are 
$mydir = dirname(__FILE__); 

// see if the included page is inside this allowed dir 
if ($page === false || substr($page, 0, strlen($mydir) != $mydir) { 
die('go away hacker'); 
} else { 
include $page; 
}

Answer 3

這不是測試。我只是寫得很快，但它應該工作（我希望），它一定會爲您提供從何處入手的基礎。

define('DEFAULT_PAGE', 'home.php'); 
define('ALLOWED_PAGES_EXPRESSION', '^[\/]+\.php$|^[\/]+\.html$'); 

function ValidateRequestedPage($p) 
{ 
    $errors_found = False; 

     // Make sure this isn't someone trying to reference directories absolutely. 
    if (preg_match('^\/.+$', $p)) 
    { 
     $errors_found = True; 
    } 

     // Disable access to hidden files (IE, .htaccess), and parent directory. 
    if (preg_match('^\..+$', $p)) 
    { 
     $errors_found = True; 
    } 


     // This shouldn't be needed for secure servers, but test for remote includes just in case... 
    if (preg_match('.+\:\/\/.+', $p)) 
    { 
     $errors_found = True; 
    } 

    if (!preg_match(ALLOWED_PAGES_EXPRESSION, $p)) 
    { 
     $errors_found = True; 
    } 

    return !$errors_found; 
} 

if (!isset($_GET['page'])) { $page = DEFAULT_PAGE; } 
else { $page = $_GET['page']; } 

if (!ValidateRequestedPage($page)) 
{ 
    /* This is called when an error has occured on the page check. You probably 
     want to show a 404 here instead of returning False. */ 
    return False; 
} 

// This suggests that a valid page is being used. 
require_once($page); 

Answer 4

只需使用switch語句。

檢查是否$ _GET變量被設置，然後通過的情況下運行，並具有默認去home.php