1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:58 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

PHP Includes...

Security Question

         

madcat

2:47 pm on Oct 5, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I have a default.html page that imports content via php includes. It looks like this:

>> header include

>> content include:

<?php
$page = $_GET['page'];
if ($page === null) {
$page = 'main';
}

require_once ("includz/".$page.".inc");
?>

>> footer include

- Could you tell me what, if any, are the security issues this method might present. If there are any, why is this a problem? How can it be done better...?

Thanks for any help!

sixii

3:49 pm on Oct 5, 2003 (gmt 0)

10+ Year Member



This would be my code, dunno if it's a smart one..

<?php
$page = $_GET['page'];
if (file_exists("includz/$page.inc")) {
require_once ("includz/$page.inc");
} else {
require_once ("includz/main.inc");
}
?>

jatar_k

3:50 pm on Oct 5, 2003 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



I can't think of any really but I imagine there is a specific reason you are worried about it.

So, what exactly are you worried about?

madcat

6:14 am on Oct 6, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm really just trying to get a handle on PHP at the moment, so I'm not quite sure what the consequences of such a system would be. It has been pointed out-using this method...

<?php
$page = $_GET['page'];
if ($page === null) {
$page = 'main';
}

require_once ("includz/".$page.".inc");
?>

Now, this would be a no no if you have lots of pages and are serious about SE rankings......

you better add some validation, or people could do this:

index.html?page=../../../../../../../../../../etc/passwd

index.html?page=../../../../../../../../../../etc/passwd

--------------------------------------------------------------------------------

The above is a security issue, pulling content in by query (?whatever) is the no no for search engines. Now, read up on the mod_rewrite and it should'nt be a problem. But, just so you know, most SE's won't parse anything past '?'s, in fear that they will get caught in a huge web of content in databases.....

Should I be looking into mod_rewrite to complete this job? Do these quotes sound relevant to this situation? Will this have a negative impact on my SE rankings? I appreciate any help...

M

jamie

9:07 am on Oct 6, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



hi madcat,

re: the security issue:

you should know the exact names of all included files, so list all of these in an array:

$arr_inc_filenames = array(
'products',
'aboutus',
'contact'
'services'
);

then you can check to see if each $_GET['page'] is in this array (i.e. that it is a valid filename), and if not then substitute the $_GET['page'] value for 'main'.

that way if anyone plays silly buggers and tries to get a sensitive file from your system, because the file doesn't exist in your array of allowed filenames, it will be substituted.

$page = $_GET['page'];

if (!in_array($page, $arr_inc_filenames) {
$page = 'main';
}
else {
require_once ("includz/".$page.".inc");
}

re: the mod_rewrite question.
google has no problem with a single? in the URL.

however, I found quite an easy way to remove the? by using the $PATH_INFO variable. sitepoint has an excellent article [sitepoint.com] on it - read the METHOD 1 about PATH_INFO.

good luck

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:58 am Apr 28, 2026