Solved

Include File Security

Posted on 2006-11-05
14
284 Views
Last Modified: 2013-11-18
I'd like to include an external PHP file from a directory called "ads", using:

<?php
include("./ads/file.php")
?>

1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!
0
Comment
Question by:xerospace
  • 3
  • 2
  • 2
  • +4
14 Comments
 
LVL 35

Expert Comment

by:Raynard7
ID: 17878331
Hi,

If you wanted to ensure that no other file could be included then you would put an absolute reference in - however this may mean that your code is less portable.

since you used ./ it will not look in the current directory first it will go up a level first.

if you want to have precedence for an existing file then you could check if that file exists  then include it else use the other file.  you would need to do this in an if statement and go through your file structure to see it
0
 
LVL 18

Expert Comment

by:Mark Gilbert
ID: 17878531
I would recommend using include_once() instead of include.  This then ensures that if on the off chance your file is included twice, you won't receive any error messages, as include will give you a fatal error if the same file is called.  Additionally, it would be recommended that you keep your include files in a directory that is not accessable by the web.  This will ensure that only your script can call the include, and not a user via a web browser who could then retrieve important information contained within the file.  Other than that, it looks good.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879758
> since you used ./ it will not look in the current directory first it will go up a level first.
Not really. It will look in current directory.

Please read second paragraph from http://pl.php.net/manual/en/function.include.php for include rules.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 35

Expert Comment

by:Raynard7
ID: 17879788
"If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory."

from that exact link

meaning that it will not look in the current directory
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879803
> it will go up a level first.
I understand You said it will loook for the incude script in ../ directory - wrong. And since almost always '.' directory is first in INCLUDE_PATH - it will look for the include relatively to current working directory (but it may be different directory from the one where incuding script resides)
0
 
LVL 35

Accepted Solution

by:
Raynard7 earned 71 total points
ID: 17879806
i agree with that statement - I guess we both may have been unclear.
0
 
LVL 14

Assisted Solution

by:Aamir Saeed
Aamir Saeed earned 68 total points
ID: 17880291
I'd like to include an external PHP file from a directory called "ads", using:

php:
<?php
include("./ads/file.php")
?>


1. In terms of security is there anything I should keep in mind when using the include statement?

-> Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.


2. Is there anything I can add to this piece of code to make it more secure?
-> Place "exit()" on the line above it*.


3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
-> I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 68 total points
ID: 17880745
To make sure it doesn't go to the includes folders, you can use:

include_once dirname(__FILE__).'/../ads/file.php';

This would result in an absolute path.

Alternatively you can define a hardcoded path somewhere in your configuration:

define('DIR_ADS', '/var/www/ads');

Then use

include_once DIR_ADS.'/file.php';

-r-
0
 

Author Comment

by:xerospace
ID: 17886852
Thank you all for your feedback and help...

So far I'm using:

<?php
error_reporting(0);
include_once("./ads/file.php");
?>

OR, as Roonann suggests:

<?php
error_reporting(0);
include_once dirname(__FILE__).'./ads/file.php';
?>


For security reasons, I've decided to turn off all error reporting as well, using:

error_reporting(0);

and then for the ads directory, setting the permissions to 770.

Is there anything wrong with using an absolute path instead of a relative one? Like: http://www,thedomain,com/ads/file.php

Also, is there some kind of simple check that I can use to make sure that the script ONLY inludes the specified php file from my domain? To make sure that a file by the name of "file.php" is ONLY called from thedomain.com?

I found the following from php.net, but it doesn't work:

<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>



Thanks!
0
 

Author Comment

by:xerospace
ID: 17886983
Ooops, I meant setting the permissions to 771 for the ads directory. It has to execute.
0
 
LVL 2

Assisted Solution

by:ajaikkumar
ajaikkumar earned 68 total points
ID: 17895495
if u including hardcoded path OF FILE  and no one can access directory without your knowledge  no issues for security as such.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Number of hours between date in DB and now 8 21
Moving from Mcrypt to OpenSSL 18 45
Number of reviews not counting correctly 2 22
JQuery Search Filter 2 28
I found this questions asking how to do this in many different forums, so I will describe here how to implement a solution using PHP and AJAX. The logical flow for the problem should be: Write an event handler for the first drop down box to get …
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question