is this PHP include a security risk?

scotthorton
scotthorton used Ask the Experts™
on
I have some code that is mostly static, but changes once every few months.  It is related to the display of a set of logos on my webpage, and navigation bar item changes.  Instead of having to go and update every single webpage that includes these same items each time the list of logo images changes, or I need a new navigation bar item,  I needed to be able to globally edit them.

I chose to do this using PHP includes such as:

<?php include("includes/bannerlist.html"); ?>
<?php include("includes/navbar.html"); ?>

This seems ot be a good solution and is working.  

All references to include files are hard coded as shown above, and all related files are stored locally on the same webserver/site.

I have read about security issues related to PHP includes but they seemed to be related to more complex things than what I am doing.

My question is, are the includes I have, like show above, any type of security risk?  And if they are, what is the best way to mitigate the risk?



Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
No these includes are not a security risk.
 
Includes CAN be a security risk when you pass variables to them which come from the user. So for example if you passed a GET variable to an include which you did not properly sanitize then it would be a major security risk.

You should read the book PHP security by Chris Shiflett. It is one of THE books on PHP security and will give you a really good idea of how to secure your applications.

-- CTM
Chris Harte2015 Top Expert (Most Article Points)
Commented:
Make sure the includes directory is .htaccess secure and change the file extensions to .php.

A good article on php security is here

http://articles.sitepoint.com/article/php-security-blunders
Most Valuable Expert 2011
Top Expert 2016
Commented:
As a matter of general interest on security, you might want to follow the work of Chris Shiflett (the security expert, not the Foo Fighter) http://shiflett.org

You're probably fine with what you have above, assuming you trust everyone who could have a password for your site, including the hosting service provider.  And including his pissed-off ex-wife who wants to get even with him by destroying all the web sites he hosts.  Didn't think about her, did we?!  

As with most things in security, increasing levels of security come at increasing costs, and there is an inflection point somewhere on those curves.  For 90% of my included files, I do exactly what you're doing and it works out very well.

best regards, ~Ray
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Author

Commented:
Thanks.

Almost conflicting replies though.  

I will not be passing any get variables in the includes.

I can change the include files to .php.

MunderMan, can you tell me what permissions should I set in .htaccess for the includes?

I'll check out the security link.  May be over my head, but I'll see.  I just wanted to make sure I wasn't making a huge blunder by using these includes to simplify my site file management.

Thanks guys,
Scott


Most Valuable Expert 2011
Top Expert 2016

Commented:
Not "a huge blunder" - quite the opposite.  You're doing it the right way.  And if it's working right for you I would not change the file types or mess with the locations or the permissions.  Sure, it's possible for somebody to look into those URL paths and see the HTML you have in the include files, but what harm is that?  They can see it with "view source" on your web pages!

Author

Commented:
Ray:

Thanks. Is thee a real life story behind that explanation <big grin>.  

FWIW, I am the only one with root access, including the host.  And my handful of users are not allowed any shell access.  It's a low end renetd dedicated server but of course the provider could get into it with console access.  I don't think the PO'd wife can though <grin>.  Well unless she's the IT brain in the fam...

Most Valuable Expert 2011
Top Expert 2016

Commented:
Happily, no!  But it makes the useful illustration.  What do we want to protect and what do we want to guard against?  If it's nuclear codes, the situation is somewhat different when compared to money, or medical records, or fishing statistics.  

Best to all, ~Ray
Chris Harte2015 Top Expert (Most Article Points)

Commented:
In the .htaccess file Include the line

"deny from all"

if you are worried about it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial