Include File Security

I'd like to include an external PHP file from a directory called "ads", using:

<?php
include("./ads/file.php")
?>

1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!
xerospaceAsked:
Who is Participating?
 
Raynard7Connect With a Mentor Commented:
i agree with that statement - I guess we both may have been unclear.
0
 
Raynard7Commented:
Hi,

If you wanted to ensure that no other file could be included then you would put an absolute reference in - however this may mean that your code is less portable.

since you used ./ it will not look in the current directory first it will go up a level first.

if you want to have precedence for an existing file then you could check if that file exists  then include it else use the other file.  you would need to do this in an if statement and go through your file structure to see it
0
 
Mark GilbertSenior Performance EngineerCommented:
I would recommend using include_once() instead of include.  This then ensures that if on the off chance your file is included twice, you won't receive any error messages, as include will give you a fatal error if the same file is called.  Additionally, it would be recommended that you keep your include files in a directory that is not accessable by the web.  This will ensure that only your script can call the include, and not a user via a web browser who could then retrieve important information contained within the file.  Other than that, it looks good.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
ravenplCommented:
> since you used ./ it will not look in the current directory first it will go up a level first.
Not really. It will look in current directory.

Please read second paragraph from http://pl.php.net/manual/en/function.include.php for include rules.
0
 
Raynard7Commented:
"If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory."

from that exact link

meaning that it will not look in the current directory
0
 
ravenplCommented:
> it will go up a level first.
I understand You said it will loook for the incude script in ../ directory - wrong. And since almost always '.' directory is first in INCLUDE_PATH - it will look for the include relatively to current working directory (but it may be different directory from the one where incuding script resides)
0
 
Aamir SaeedConnect With a Mentor Commented:
I'd like to include an external PHP file from a directory called "ads", using:

php:
<?php
include("./ads/file.php")
?>


1. In terms of security is there anything I should keep in mind when using the include statement?

-> Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.


2. Is there anything I can add to this piece of code to make it more secure?
-> Place "exit()" on the line above it*.


3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
-> I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.
0
 
RoonaanConnect With a Mentor Commented:
To make sure it doesn't go to the includes folders, you can use:

include_once dirname(__FILE__).'/../ads/file.php';

This would result in an absolute path.

Alternatively you can define a hardcoded path somewhere in your configuration:

define('DIR_ADS', '/var/www/ads');

Then use

include_once DIR_ADS.'/file.php';

-r-
0
 
xerospaceAuthor Commented:
Thank you all for your feedback and help...

So far I'm using:

<?php
error_reporting(0);
include_once("./ads/file.php");
?>

OR, as Roonann suggests:

<?php
error_reporting(0);
include_once dirname(__FILE__).'./ads/file.php';
?>


For security reasons, I've decided to turn off all error reporting as well, using:

error_reporting(0);

and then for the ads directory, setting the permissions to 770.

Is there anything wrong with using an absolute path instead of a relative one? Like: http://www,thedomain,com/ads/file.php

Also, is there some kind of simple check that I can use to make sure that the script ONLY inludes the specified php file from my domain? To make sure that a file by the name of "file.php" is ONLY called from thedomain.com?

I found the following from php.net, but it doesn't work:

<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>



Thanks!
0
 
xerospaceAuthor Commented:
Ooops, I meant setting the permissions to 771 for the ads directory. It has to execute.
0
 
ajaikkumarConnect With a Mentor Commented:
if u including hardcoded path OF FILE  and no one can access directory without your knowledge  no issues for security as such.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.