Dynamic Includes - Page 3

**TJ09** · July 31st, 2004, 11:14 PM

You could allow x=folder/file with the following modification to your code, as long as neither has a "." in it:

Code:

<?php
$x = $_GET['x'];
if(eregi("[a-z0-9\-_/]+", $x, $regs)) {
  $dir = "includes/";
  $ext = ".php";
  if(file_exists($dir . $x . $ext)) {
    include($dir . $x . $ext);
  } else {
    include($dir . "notfound" . $ext);
  }
} else {
  include($dir . "illegal" . $ext);
}
?>

**Ancyru** · July 31st, 2004, 11:39 PM

Ah I see, looks good. I'll just have to make sure there is no period in the file or folder name.

Thanks for all the help guys.

**Ancyru** · August 3rd, 2004, 7:19 AM

I've tried both version but the script still seems to allow ?x=../file

How do I prevent that?

**Ancyru** · August 3rd, 2004, 7:57 AM

Wait got it working. Just gave up, no use of periods or slashes. Sucks being a PHP newb.

Code:

<?php

$x = $_GET['x'];
$dir = "includes/";
$ext = ".php";

if(eregi("^[_a-z0-9-]", $x)) {
	if(file_exists($dir . $x . $ext)) {
		include($dir . $x . $ext);
	} else {
		include($dir . "notfound" . $ext);
	}
} elseif(!$x) {
	include($dir . "main" . $ext);
} else {
	include($dir . "error" . $ext);
}

?>

July 31st, 2004, 11:14 PM	#19 (permalink)
TJ09 SurPerson On a golden path... Joined in Jul 2004 Lives in front of my laptop Hosted on Sync 437 posts Gave thanks: 0 Thanked 1 Time in 1 Post	You could allow x=folder/file with the following modification to your code, as long as neither has a "." in it: Code: <?php $x = $_GET['x']; if(eregi("[a-z0-9\-_/]+", $x, $regs)) { $dir = "includes/"; $ext = ".php"; if(file_exists($dir . $x . $ext)) { include($dir . $x . $ext); } else { include($dir . "notfound" . $ext); } } else { include($dir . "illegal" . $ext); } ?> __________________ Me: TeeJay Server: Sync (Statistics) Site: technoized.com (Statistics) chown -R us ./base Last edited by TJ09; July 31st, 2004 at 11:15 PM.. Reason: Forgot [/code] tag

July 31st, 2004, 11:39 PM	#20 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	Ah I see, looks good. I'll just have to make sure there is no period in the file or folder name. Thanks for all the help guys. __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

August 3rd, 2004, 7:19 AM	#21 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	I've tried both version but the script still seems to allow ?x=../file How do I prevent that? __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

August 3rd, 2004, 7:57 AM	#22 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	Wait got it working. Just gave up, no use of periods or slashes. Sucks being a PHP newb. Code: <?php $x = $_GET['x']; $dir = "includes/"; $ext = ".php"; if(eregi("^[_a-z0-9-]", $x)) { if(file_exists($dir . $x . $ext)) { include($dir . $x . $ext); } else { include($dir . "notfound" . $ext); } } elseif(!$x) { include($dir . "main" . $ext); } else { include($dir . "error" . $ext); } ?> __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)