How safe is this?
if (isset($_GET["var"]) && file_exists("path/".$_GET["var"].".php")) {
include("path/".$_GET["var"].".php");
} else {
echo 'File Does Not Exist!';
}
I'm wondering if $_GET["var"] needs to be "sanitized" opposed to just letting it run against the file_exists function before trying to include it or not. Is this dangerous?
+++UPDATED+++
Thank you all for your responses! Please see updated below...
function mrClean($var) {
$clean_var = (isset($var) && !empty($var)) ? $var : 'index';
$clean_var = preg_replace('/[^-A-Za-z0-9_]/', '', $clean_var);
return $clean_var;
}
$var = mrClean($_GET["var"]);
if (file_exists("path/".$var.".php")) {
include("path/".$var.".php");
} else {
echo 'File Does Not Exist!';
}
When I call on mrClean to replace all, but the following:
- A-Z a-z 0-9 _ via preg_replace
...will this now be considered safe? Is there anything that can be added to make this any safer?
I will implement a whitelist as suggested... but anything else?
Thank you!!
-Andrew