{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 对你真心纯属浪费 的问题《Include safety》','https://www.manongdao.com/q-929310.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
$page = realpath('includes/'.$_GET['page'].'.php');
$tpl = realpath('templates/'.$_GET['page'].'.html');
if ($page && $tpl) {
include $page;
include $tpl;
} else {
// log error!
}
} else {
// log error!
}
?>
How safe would you say this is?
Gumbo here on Stack Overflow wrote it.
Dynamic Include Safety
I wanna hear your opinions.
cheers
My first thought isn't about safety, but about why in the world would you do that?
I could see some potential issues there, especially if the 'page' variable contained '..' or other such things that could allow them to see something they weren't supposed to be able to see.
I do something similar on a few sites of mine, but I would first check 'page' to make sure it references one of a set of allowed pages.
you including your own code. how safe is it?
I'd say it's pretty safe. Just don't allow anything to write to those folders. PHP files are traditionally inside the web root of a server which is dangerous to start with. It would be better to place the files being loaded to an area that's absolutely inaccessible to the outside given a configuration error or a .htaccess file going missing.