Is it possible to sanitise an include before it is executed to make sure that it exists on the server?
I want to avoid attackers compromising the file path using some sort of whitelist, is this possible?
My include looks like this:
require_once('../includes/front/header.php');
How could the path be compromised? (Unless your require_once contains user input - avoid this!)
You could just check if the file exists using file_exists:
eg.
if(file_exists('../includes/front/header.php')) {
require_once('../includes/front/headers.php');
}
If you did want a whitelist though you could just create an array of allowed path/filenames and then just use in_array to check its validity.