Solved

Include File Security

Posted on 2006-11-05
14
276 Views
Last Modified: 2013-11-18
I'd like to include an external PHP file from a directory called "ads", using:

<?php
include("./ads/file.php")
?>

1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!
0
Comment
Question by:xerospace
  • 3
  • 2
  • 2
  • +4
14 Comments
 
LVL 35

Expert Comment

by:Raynard7
Comment Utility
Hi,

If you wanted to ensure that no other file could be included then you would put an absolute reference in - however this may mean that your code is less portable.

since you used ./ it will not look in the current directory first it will go up a level first.

if you want to have precedence for an existing file then you could check if that file exists  then include it else use the other file.  you would need to do this in an if statement and go through your file structure to see it
0
 
LVL 18

Expert Comment

by:ingwa
Comment Utility
I would recommend using include_once() instead of include.  This then ensures that if on the off chance your file is included twice, you won't receive any error messages, as include will give you a fatal error if the same file is called.  Additionally, it would be recommended that you keep your include files in a directory that is not accessable by the web.  This will ensure that only your script can call the include, and not a user via a web browser who could then retrieve important information contained within the file.  Other than that, it looks good.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> since you used ./ it will not look in the current directory first it will go up a level first.
Not really. It will look in current directory.

Please read second paragraph from http://pl.php.net/manual/en/function.include.php for include rules.
0
 
LVL 35

Expert Comment

by:Raynard7
Comment Utility
"If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory."

from that exact link

meaning that it will not look in the current directory
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> it will go up a level first.
I understand You said it will loook for the incude script in ../ directory - wrong. And since almost always '.' directory is first in INCLUDE_PATH - it will look for the include relatively to current working directory (but it may be different directory from the one where incuding script resides)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Accepted Solution

by:
Raynard7 earned 71 total points
Comment Utility
i agree with that statement - I guess we both may have been unclear.
0
 
LVL 14

Assisted Solution

by:Aamir Saeed
Aamir Saeed earned 68 total points
Comment Utility
I'd like to include an external PHP file from a directory called "ads", using:

php:
<?php
include("./ads/file.php")
?>


1. In terms of security is there anything I should keep in mind when using the include statement?

-> Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.


2. Is there anything I can add to this piece of code to make it more secure?
-> Place "exit()" on the line above it*.


3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
-> I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.
0
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 68 total points
Comment Utility
To make sure it doesn't go to the includes folders, you can use:

include_once dirname(__FILE__).'/../ads/file.php';

This would result in an absolute path.

Alternatively you can define a hardcoded path somewhere in your configuration:

define('DIR_ADS', '/var/www/ads');

Then use

include_once DIR_ADS.'/file.php';

-r-
0
 

Author Comment

by:xerospace
Comment Utility
Thank you all for your feedback and help...

So far I'm using:

<?php
error_reporting(0);
include_once("./ads/file.php");
?>

OR, as Roonann suggests:

<?php
error_reporting(0);
include_once dirname(__FILE__).'./ads/file.php';
?>


For security reasons, I've decided to turn off all error reporting as well, using:

error_reporting(0);

and then for the ads directory, setting the permissions to 770.

Is there anything wrong with using an absolute path instead of a relative one? Like: http://www,thedomain,com/ads/file.php

Also, is there some kind of simple check that I can use to make sure that the script ONLY inludes the specified php file from my domain? To make sure that a file by the name of "file.php" is ONLY called from thedomain.com?

I found the following from php.net, but it doesn't work:

<?php
$path="/full/path/to/script/";
if (getdomain($path) == 'yourdomain'){
     include($path.'somefile.php');
}
?>



Thanks!
0
 

Author Comment

by:xerospace
Comment Utility
Ooops, I meant setting the permissions to 771 for the ads directory. It has to execute.
0
 
LVL 2

Assisted Solution

by:ajaikkumar
ajaikkumar earned 68 total points
Comment Utility
if u including hardcoded path OF FILE  and no one can access directory without your knowledge  no issues for security as such.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now