另一个LFI问题

Question

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Ship Parts</title>
        <script src="libs/jquery/jquery-3.1.1.min.js"></script>
        <script src="libs/bootstrap-3.3.7-dist/js/bootstrap.min.js"></script>
        <link rel="stylesheet" href="libs/bootstrap-3.3.7-dist/css/bootstrap.min.css" >
        <link rel="stylesheet" href="libs/styles/boot2016.css">
        <link rel="stylesheet" href="libs/styles/cyber.css">
        <script src="libs/scripts/common1.js"></script>
        <script src="libs/scripts/cyberO.js"></script>

</head>

<body>
        <div class="container" style="margin-bottom:60px;">
                <div style="background-image:url('libs/images/ocean.jpg'); background-position: center; padding: 40px; font-size:72px; color:white;" class="text-center align-middle" >
                        <h1>Ship-Parts Military Boats</h1>
                </div>
                <h2>Welcome to Ship-Parts Military Boats</h2>
                <p>Ship-Parts Military Boats are high-performance rigid hull inflatable boats and vessels that are specifically designed for the extreme endurance needs of the military and law enforcement.</p>

                <p><strong>Select a product:</strong></p>
                <form action="index.php" method="POST" id="products">
                        <select name="product">
                                <option value="inflatable.html">Inflatable Boats</option>
                                <option value="navy.html">Navy Boats</option>
                                <option value="coastguard.html">Coast Guard Boats</option>
                                <option value="lawenforcement.html">Law Enforcement Boats</option>
                                <option value="about.html">About Us</option>
                        </select>
                        </select>
                        <input type="submit" value="Show Info" />
                </form>
                <br>

                <?php
                        if(isset($_POST["product"]) ) {
                                include $_POST["product"];
                        }
                        else {
                                include "about.html";
                        }

                ?>


        </div>
</body>
</html>

所以我应该修复这个网站。我需要验证optionvalue所指向的选项是页面发送该信息之前应该出现的选项，这样即使有人将文件从inflatables.html更改为allmyloginsxd.html，它也会显示为一个错误。

我对代码一窍不通(我所学的课程既不会教我，也不会给我时间去学习)，所以你能给我解释的越简单越好。

Answer 1

正如我在评论中所建议的，考虑在客户端验证的同时使用服务器端检查，以确保您在绕过客户端验证的实例中有一个备份。

简单地说，您可以使用in_array检查选项的输入：

/** Your page names would go in here. **/
$correct_values = ['option-val-one', 'option-val-two'];

if (!in_array($_POST['product'], $correct_values)) {
    /** Unknown value has been passed. **/
}

除此之外，您的标记中有重复标记的错误(</select>)。