Question posted in 
I use this script to enable multilanguage on my website :
<?php
// Start a Session, You might start this somewhere else already.
session_start();
// What languages we support
$available_langs = array('en','ro');
if(isset($_GET['lang']) && $_GET['lang'] != ''){
// check if the language is the one we support
if(in_array($_GET['lang'], $available_langs))
{
$_SESSION['lang'] = $_GET['lang']; // Set session
}
}
// Set our default language session ONLY if we've got nothing
if ($_SESSION['lang']=='') {
$_SESSION['lang'] = 'en';
}
$language = $_SESSION['lang'];
setcookie("lang", $language, time() + (3600 * 24 * 30), null, null, null, true);
// Include active language
include('languages/lang.'.$_SESSION['lang'].'.php');
?>
My question is: how secure is this, the way it is coded right now and what should I do to improve security ? I administer a VPS using Plesk 12 and have Website Firewall ModSecurity on and I see lots of attempts to upload files in my website’s root by using POST method through the browser, taking advantage of the “lang” variable.
Many thanks in advance.
2
Answers
This is perfectly safe from the looks of it. You are setting a sensible default (en) if not found/not specified, and are pattern matching for en/ro properly.
You may want to consider using a language supporting framework/class though, as it will make your duplication efforts much easier. Try checking out https://github.com/Philipp15b/php-i18n
This is perfectly safe in case of language. But please check if session has already started otherwise it will throw session_already_started error.