?
Solved

Include File Security

Posted on 2006-11-05
14
Medium Priority
?
295 Views
Last Modified: 2013-11-18
I'd like to include an external PHP file from a directory called "ads", using:

<?php
include("./ads/file.php")
?>

1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!
0
Comment
Question by:xerospace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
14 Comments
 
LVL 35

Expert Comment

by:Raynard7
ID: 17878331
Hi,

If you wanted to ensure that no other file could be included then you would put an absolute reference in - however this may mean that your code is less portable.

since you used ./ it will not look in the current directory first it will go up a level first.

if you want to have precedence for an existing file then you could check if that file exists  then include it else use the other file.  you would need to do this in an if statement and go through your file structure to see it
0
 
LVL 18

Expert Comment

by:Mark Gilbert
ID: 17878531
I would recommend using include_once() instead of include.  This then ensures that if on the off chance your file is included twice, you won't receive any error messages, as include will give you a fatal error if the same file is called.  Additionally, it would be recommended that you keep your include files in a directory that is not accessable by the web.  This will ensure that only your script can call the include, and not a user via a web browser who could then retrieve important information contained within the file.  Other than that, it looks good.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879758
> since you used ./ it will not look in the current directory first it will go up a level first.
Not really. It will look in current directory.

Please read second paragraph from http://pl.php.net/manual/en/function.include.php for include rules.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 35

Expert Comment

by:Raynard7
ID: 17879788
"If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory."

from that exact link

meaning that it will not look in the current directory
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879803
> it will go up a level first.
I understand You said it will loook for the incude script in ../ directory - wrong. And since almost always '.' directory is first in INCLUDE_PATH - it will look for the include relatively to current working directory (but it may be different directory from the one where incuding script resides)
0
 
LVL 35

Accepted Solution

by:
Raynard7 earned 284 total points
ID: 17879806
i agree with that statement - I guess we both may have been unclear.
0
 
LVL 14

Assisted Solution

by:Aamir Saeed
Aamir Saeed earned 272 total points
ID: 17880291
I'd like to include an external PHP file from a directory called "ads", using:

php:
<?php
include("./ads/file.php")
?>


1. In terms of security is there anything I should keep in mind when using the include statement?

-> Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.


2. Is there anything I can add to this piece of code to make it more secure?
-> Place "exit()" on the line above it*.


3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
-> I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 272 total points
ID: 17880745
To make sure it doesn't go to the includes folders, you can use:

include_once dirname(__FILE__).'/../ads/file.php';

This would result in an absolute path.

Alternatively you can define a hardcoded path somewhere in your configuration:

define('DIR_ADS', '/var/www/ads');

Then use

include_once DIR_ADS.'/file.php';

-r-
0
 

Author Comment

by:xerospace
ID: 17886852
Thank you all for your feedback and help...

So far I'm using:

<?php
error_reporting(0);
include_once("./ads/file.php");
?>

OR, as Roonann suggests:

<?php
error_reporting(0);
include_once dirname(__FILE__).'./ads/file.php';
?>


For security reasons, I've decided to turn off all error reporting as well, using:

error_reporting(0);

and then for the ads directory, setting the permissions to 770.

Is there anything wrong with using an absolute path instead of a relative one? Like: http://www,thedomain,com/ads/file.php

Also, is there some kind of simple check that I can use to make sure that the script ONLY inludes the specified php file from my domain? To make sure that a file by the name of "file.php" is ONLY called from thedomain.com?

I found the following from php.net, but it doesn't work:

<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>



Thanks!
0
 

Author Comment

by:xerospace
ID: 17886983
Ooops, I meant setting the permissions to 771 for the ads directory. It has to execute.
0
 
LVL 2

Assisted Solution

by:ajaikkumar
ajaikkumar earned 272 total points
ID: 17895495
if u including hardcoded path OF FILE  and no one can access directory without your knowledge  no issues for security as such.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question