I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.
$page = $_GET['page'];
if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
!strpos($page, '\') || !strpos($page, '..')) {
//append ".php" to $page and include the page
Is there any other thing I can do to furtherly sanitize my input?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…