Use a whitelist and make sure the page is in the whitelist:
$whitelist = array('home', 'page');
if (in_array($_GET['page'], $whitelist)) {
include($_GET['page'].'.php');
} else {
include('home.php');
}
More Related Contents:
- PHP MySQLI Prevent SQL Injection [duplicate]
- How can I secure my source code [closed]
- Are PDO prepared statements sufficient to prevent SQL injection?
- Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
- Why would one omit the close tag?
- How to secure database passwords in PHP?
- Reference: What is a perfect code sample using the MySQL extension? [closed]
- The ultimate clean/secure function
- How to encrypt/decrypt data in php?
- Exploitable PHP functions
- Preventing Directory Traversal in PHP but allowing paths
- What is the best way to stop people hacking the PHP-based highscore table of a Flash game
- preventing csrf in php
- Generating cryptographically secure tokens
- Which $_SERVER variables are safe?
- How to best store user information and user login and password
- What do I need to store in the php session when user logged in?
- PHP setcookie “SameSite=Strict”?
- Magic quotes in PHP
- Is it ever ok to store password in plain text in a php variable or php constant?
- How do you set up use HttpOnly cookies in PHP
- Fastest hash for non-cryptographic uses?
- Is it secure to store a password in a session? [duplicate]
- What security problems could come from exposing phpinfo() to end users?
- Set httpOnly and secure on PHPSESSID cookie in PHP
- Does PHP’s $_REQUEST method have a security problem?
- is $_SERVER[‘HTTP_REFERER’] safe?
- Json: PHP to JavaScript safe or not?
- Limiting user login attempts in PHP [duplicate]
- What encryption algorithm is best for encrypting cookies?