Solved

Include File Security

Posted on 2006-11-05
14
281 Views
Last Modified: 2013-11-18
I'd like to include an external PHP file from a directory called "ads", using:

<?php
include("./ads/file.php")
?>

1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!
0
Comment
Question by:xerospace
  • 3
  • 2
  • 2
  • +4
14 Comments
 
LVL 35

Expert Comment

by:Raynard7
ID: 17878331
Hi,

If you wanted to ensure that no other file could be included then you would put an absolute reference in - however this may mean that your code is less portable.

since you used ./ it will not look in the current directory first it will go up a level first.

if you want to have precedence for an existing file then you could check if that file exists  then include it else use the other file.  you would need to do this in an if statement and go through your file structure to see it
0
 
LVL 18

Expert Comment

by:Mark Gilbert
ID: 17878531
I would recommend using include_once() instead of include.  This then ensures that if on the off chance your file is included twice, you won't receive any error messages, as include will give you a fatal error if the same file is called.  Additionally, it would be recommended that you keep your include files in a directory that is not accessable by the web.  This will ensure that only your script can call the include, and not a user via a web browser who could then retrieve important information contained within the file.  Other than that, it looks good.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879758
> since you used ./ it will not look in the current directory first it will go up a level first.
Not really. It will look in current directory.

Please read second paragraph from http://pl.php.net/manual/en/function.include.php for include rules.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 35

Expert Comment

by:Raynard7
ID: 17879788
"If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory."

from that exact link

meaning that it will not look in the current directory
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17879803
> it will go up a level first.
I understand You said it will loook for the incude script in ../ directory - wrong. And since almost always '.' directory is first in INCLUDE_PATH - it will look for the include relatively to current working directory (but it may be different directory from the one where incuding script resides)
0
 
LVL 35

Accepted Solution

by:
Raynard7 earned 71 total points
ID: 17879806
i agree with that statement - I guess we both may have been unclear.
0
 
LVL 14

Assisted Solution

by:Aamir Saeed
Aamir Saeed earned 68 total points
ID: 17880291
I'd like to include an external PHP file from a directory called "ads", using:

php:
<?php
include("./ads/file.php")
?>


1. In terms of security is there anything I should keep in mind when using the include statement?

-> Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.


2. Is there anything I can add to this piece of code to make it more secure?
-> Place "exit()" on the line above it*.


3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
-> I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 68 total points
ID: 17880745
To make sure it doesn't go to the includes folders, you can use:

include_once dirname(__FILE__).'/../ads/file.php';

This would result in an absolute path.

Alternatively you can define a hardcoded path somewhere in your configuration:

define('DIR_ADS', '/var/www/ads');

Then use

include_once DIR_ADS.'/file.php';

-r-
0
 

Author Comment

by:xerospace
ID: 17886852
Thank you all for your feedback and help...

So far I'm using:

<?php
error_reporting(0);
include_once("./ads/file.php");
?>

OR, as Roonann suggests:

<?php
error_reporting(0);
include_once dirname(__FILE__).'./ads/file.php';
?>


For security reasons, I've decided to turn off all error reporting as well, using:

error_reporting(0);

and then for the ads directory, setting the permissions to 770.

Is there anything wrong with using an absolute path instead of a relative one? Like: http://www,thedomain,com/ads/file.php

Also, is there some kind of simple check that I can use to make sure that the script ONLY inludes the specified php file from my domain? To make sure that a file by the name of "file.php" is ONLY called from thedomain.com?

I found the following from php.net, but it doesn't work:

<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>



Thanks!
0
 

Author Comment

by:xerospace
ID: 17886983
Ooops, I meant setting the permissions to 771 for the ads directory. It has to execute.
0
 
LVL 2

Assisted Solution

by:ajaikkumar
ajaikkumar earned 68 total points
ID: 17895495
if u including hardcoded path OF FILE  and no one can access directory without your knowledge  no issues for security as such.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question