Include safety


<?php if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) { $page = realpath('includes/'.$_GET['page'].'.php'); $tpl = realpath('templates/'.$_GET['page'].'.html'); if ($page && $tpl) { include $page; include $tpl; } else { // log error! } } else { // log error! } ?>

How safe would you say this is? Gumbo here on Stack Overflow wrote it.<br /><a href="https://stackoverflow.com/questions/524908/dynamic-include-safety/524959#524959" rel="nofollow"></a><a href="https://stackoverflow.com/questions/524908/dynamic-include-safety/524959#524959" rel="nofollow">Dynamic Include Safety</a>

I wanna hear your opinions.



My first thought isn't about safety, but about why in the world would you do that?


I'd say it's pretty safe. Just don't allow anything to write to those folders. PHP files are traditionally inside the web root of a server which is dangerous to start with. It would be better to place the files being loaded to an area that's absolutely inaccessible to the outside given a configuration error or a .htaccess file going missing.


you including your own code. how safe is it?


I could see some potential issues there, especially if the 'page' variable contained '..' or other such things that could allow them to see something they weren't supposed to be able to see.

I do something similar on a few sites of mine, but I would first check 'page' to make sure it references one of a set of allowed pages.


  • Regular expression - Text between colons
  • Extract text from HTML
  • Does supervisor block calls while restarting children?
  • Way to represent unknown file size in FTP LIST?
  • Is creating an image with Swing thread-safe?
  • Preserving existing text when writing to file
  • How to remove left and right margins from all wrapped rows in flexbox (without nth-child or js)
  • Return to second to last URL in MVC (return View with previous filter conditions applied)?
  • python string formatting fixed width
  • How to resolve docker host names (/etc/hosts) in containers
  • rapply over a nested list in R
  • Get the last date of each month in a list of dates in Python
  • Certain Arabic text gets incorrectly shown while other Arabic text gets showed normally?
  • PHP + XML - how to rename and delete XML elements using SimpleXML or DOMDocument?
  • Merge Module leaving files during uninstall
  • .NET video play library which allows to change the playback rate?
  • Migration to HRD - How to convert string-encoded keys to new application
  • how to populate a SQLite database and use that database in phonegap?
  • Where these are stored?
  • Symfony 2 error page response
  • vectorized indexing/slicing in numpy/scipy?
  • Detecting null parameter in preprocessor macro
  • How can I tell a form not to dispose a particular control when it closes?
  • Hash Code in SQL Server?
  • Intel-64 and ia32 atomic operations acquire-release semantics and GCC 5+
  • Read text file that is not in the main package in a runnable jar
  • Scala multiline string placeholder
  • Alternative To body {overflow:scroll;} That Will Prevent Page Jostling/Wriggling?
  • Display images in Django
  • Problem deserializing objects from cache on MyBatis 3/Java
  • Get data from AJAX - How to
  • Adding a button at the bottom of a table view
  • QLineEdit password safety
  • Javascript convert timezone issue
  • Why is the timeout on a windows udp receive socket always 500ms longer than set by SO_RCVTIMEO?
  • Buffer size for converting unsigned long to string
  • Hits per day in Google Big Query
  • How to get Windows thread pool to call class member function?
  • Android Heatmap on canvas or ImageView
  • Conditional In-Line CSS for IE and Others?