Is this really a way to filter LFI?

Question

I'm not sure if this is a valid way how to filter LFI, because if you bypass in_array function you can include any file, for example /etc/passwd.

Is it possible to bypass in_array function?

<?php
$file = $_GET['file'];
$files = array("some", "files", "here");

if (in_array($file, $files, true)) {
   include('directory/' . $file);
   echo "In array \n";
} else {
   echo "Not in array \n";
}
?>

score 0 · Accepted Answer · answered May 29 '22 at 17:11

0

Looks good, the in_array methodology is valid, especially since you enabled strict matching.

answered May 29 '22 at 17:11

belkarx

1,207
2
18

Is this really a way to filter LFI?

1 Answers1