Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 6 of 6
  1. #1
    Junior Member blondegeek's Avatar
    Join Date
    Jul 2007
    Posts
    7
    Member #
    15559
    Hello there,

    I'm cleaning up the code of my website and I've stumbled upon the very tempting php include(); function. I'd love to use it because then obviously I only have to edit one page to affect all pages linked to it, BUT I definitely don't want any of my information that I include (such as global command to link to my SQL database) to be put at any risk. Is there anyway that the include command could present a security risk to my website? It might seem like a n00bish question, but I'd rather be safe than sorry. (Oh, by the way, I'm only using the include command on my own server, not to get stuff from one to the next...just in case that makes any difference.)

    Thanks!


  2.  

  3. #2
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Well, there're always security risks, but they won't be related directly to including a page. The key to security issues is to always validate user input. If you don't let the user input malicious data, the number of attack vectors on your site is reduced dramatically. This means anything from GET or POST or uploaded files needs to be validated before going anywhere.

    So include in and of itself should pose little problem

  4. #3
    Junior Member blondegeek's Avatar
    Join Date
    Jul 2007
    Posts
    7
    Member #
    15559
    Great! Thank you so much!

  5. #4
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    Any time

  6. #5
    Senior Member Steax's Avatar
    Join Date
    Dec 2006
    Location
    Bandung, Indonesia
    Posts
    1,207
    Member #
    14572
    Probably the most important thing is to never literally allow a GET/POST variable go into an include. Such as...

    PHP Code:
    <?php
      
    include($_GET["page"] . ".html");
    ?>
    This is commonly used by less experienced people for creating dynamic pages. It's most dangerous because people who know of its existence can include their own pages - very very dangerous.
    Note on code: If I give code, please note that it is simply sample code to demonstrate an effect. It is not meant to be used as-is; that is the programmer's job. I am not responsible to give you support or be held liable for anything that happens when using my code.

  7. #6
    Senior Member
    Join Date
    Jun 2005
    Location
    Atlanta, GA
    Posts
    4,146
    Member #
    10263
    Liked
    1 times
    And again -- validate user input Or disallow it when possible, as would be best in this case


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 05:21 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com