homepage Welcome to WebmasterWorld Guest from 54.167.173.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Remote File Inclusion Issues
tutorials for newbie
KatrinR




msg:3608124
 6:08 pm on Mar 22, 2008 (gmt 0)

Hello,

I started to learn php and mysql last winter and built two websites with the new gained knowledge.

Now I have problems with remote file inclusions on both websites (both located on different servers).

I read [en.wikipedia.org...] and some of the posts here, yet still don't really know how and where to start with securing my code.

Are there any web tutorials you could point me to where I could learn how to secure my php code agains attackers?

Thank you,
Katrin

 

Vis3R




msg:3608209
 9:59 pm on Mar 22, 2008 (gmt 0)

As long as you have static file includes, or dynamic but selected ones, you shouldn't have a security issue with the include function. All you should take care of is that the users won't be able to change what include files your script includes.

include("myscript.php");
is safe

if ($_GET["a"] == "one")
include("one.php");
else if ($_GET["a"] == "two")
include("two.php");
is also safe

include($_GET["textbox1"]);
is not safe, because they can send anything in that textbox1 variable, and include anything they want.

KatrinR




msg:3608750
 8:56 pm on Mar 23, 2008 (gmt 0)

In my index.php I have following code that calls all other pages.

<script language="php">
if (!isset($_REQUEST['content']))
include("content//main.inc.php");
else
{
$content = $_REQUEST['content'];
$nextpage = $content . ".inc.php";
include($nextpage);
} </script>

after reading your post, Vis3R, this seems to be the weak part of my websites, because "they can send anything in that 'content' variable"?
Is this correct?

The solution for a beginner would then be to code the pages more static with clearly defined include files?

Thank you!

coopster




msg:3609307
 6:07 pm on Mar 24, 2008 (gmt 0)

Yes, you are correct. It is user-supplied input and can never be trusted. Always check to be sure the value being passed to you contains what you expect before you use it.

I also note you are using one of the alternative methods for invoking PHP. Although there is really nothing wrong with using that format you may want to reconsider and use the more common format, <?php
Details: Basic syntax [php.net]

KatrinR




msg:3627817
 1:56 am on Apr 16, 2008 (gmt 0)

My reply is late, yet I wanted to thank you for the response.

Actually, I started learning php in an online course! With what I know now, I will be more cautious when taking the intermediate class.

Katrin

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved