I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following.
$page = $_GET['page'];
if(!strpos(strtolower($page), 'http') || !strpos($page, '/') ||
!strpos($page, '\\') || !strpos($page, '..')) {
//append ".php" to $page and include the page
Is there any other thing I can do to furtherly sanitize my input?
$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);
Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.