HighFile-scopePHP Plug & play

Do Not Include Files Dynamically Without Validation

Avoid passing untrusted values to include/require statements. If you need to include files based on external input, strictly validate that input (for example, using a whitelist of valid filenames).

Add to Mesrai Open workspace

Why this matters

Including files from user‐supplied paths without validation can lead to Local/Remote File Inclusion (LFI/RFI), allowing attackers to execute arbitrary code or access sensitive system files.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
$page = $_GET['pagina'];
include "$page.php";
?>

Prefer

<?php
$page = $_GET['pagina'];
$allowed = ['home', 'about', 'contact'];
if (in_array($page, $allowed)) {
    include $page . '.php';
} else {
    include '404.php';
}
?>

More snippets

Bad

<?php
$page = $_GET['pagina'];
include "$page.php";
?>

Good

<?php
$page = $_GET['pagina'];
$allowed = ['home', 'about', 'contact'];
if (in_array($page, $allowed)) {
    include $page . '.php';
} else {
    include '404.php';
}
?>

Related rules

From the same buckets as this rule.

Critical
Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
security-hardening
Critical
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
security-hardening
Critical
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
maintainabilitysecurity-hardening

Why this matters

Bad vs. good

More snippets

Related rules

Always sanitize user inputs

Always Verify Server Certificates in SSL/TLS Connections

Avoid modifying built-in prototypes

Why this matters

Bad vs. good

More snippets

Related rules

Always sanitize user inputs

Always Verify Server Certificates in SSL/TLS Connections

Avoid modifying built-in prototypes