[PHP] REQUEST + strpos

Printable View

14-08-06
Forcystos

[PHP] REQUEST + strpos

PHP Code:

if (strpos("mystring",$_REQUEST["thing"])) { include $_REQUEST["thing"].'.php'; **

As far as I know, that's supposed to work, isn't it? Why won't it?

Of course, I'm sure $_REQUEST is set, and it does include the string.
15-08-06
john_d

u got it the other way around...

strpos($ur_text, $text_to_find)

PHP Code:

if (strpos($_REQUEST["thing"],"mystring")) { include $_REQUEST["thing"].'.php'; }

but if i was to do something like that i would do this.

PHP Code:

$thing = strtolower(urldecode($_REQUEST["thing"])); if (strpos($thing,"mystring")) { include $thing.'.php'; }

that would be it if i wanted to use $_REQUEST ... i rather use $_GET or $_POST
15-08-06
[lexx]

hey, are you aware that the thing you are doing is very unsafe..? don't do that. you might make $_REQUEST["thing"] contents extracted from db or dedicated db file but not include a real file..
15-08-06
Forcystos

OK, thanks, the only problem was the backwards thing...and there's no problem in this case with $_REQUEST since I made sure there wasn't a $_POST request with the same value, I'm only using this to make something like [http://127.0.0.1/index.php?page=register].
15-08-06
Mario_Party

we can't join 127.0.0.1 ^^ that is ur local IP
15-08-06
Forcystos

It was an URL example ;)
15-08-06
[lexx]

you should use urlencode instead of urldecode, as john_d might mistyped, or else the remote code execution would be possible.
16-08-06
FragFrog

Quote:

Originally Posted by john_d

but if i was to do something like that i would do this.

PHP Code:

$thing = strtolower(urldecode($_REQUEST["thing"])); if (strpos($thing,"mystring")) { include $thing.'.php'; }

that would be it if i wanted to use $_REQUEST ... i rather use $_GET or $_POST

I agree with you on preferring POST (or GET, if you -have- to :D), but why would you use urldecode if I might ask? :)

Personally I'd do

PHP Code:

$thing = strtolower(htmlspecialchars($_REQUEST["thing"])); strpos($thing,"mystring") ? include $thing.'.php' : '';

Care to explain? :D
16-08-06
john_d

cause if u want to send string .. of an unknow nature.. like hello\' it would turn out as crazy text on the browser.. better to encode it before using it as a link.
16-08-06
FragFrog

Yeah, I ment why that specific encoder, not why encode at all, thats fairly obvious ;)