Jump to content


protecting includes?

  • Please log in to reply
1 reply to this topic

#1 aebstract

  • Members
  • PipPipPip
  • Advanced Member
  • 1,105 posts

Posted 21 July 2006 - 02:46 PM

I have been told lately that it is possbile for some hackers to get in to servers and stuff through include systems. Could anyone help out telling potential ways to make an include safe so that someone can't do anything with it through url or anything? Thanks.

There is an area of the mind that could be called unsane, beyond sanity, and yet
not insane. Think of a circle with a fine split in it. At one end there's
insanity. You go around the circle to sanity, and on the other end of the
circle, close to insanity, but not insanity, is unsanity.

#2 wildteen88

  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 21 July 2006 - 02:52 PM

When you are including files, make sure you the file you are including actually exists on your server, and use your servers document root when including files, espcially when doing somthing like this:
$page = $_GET['page']

include $_GET['page']. '.php';

So rather than doing the above do this:
$page = $_GET['page'];
// check that the files exists first
if(file_exists('http://www.site.com/' . $page . '.php'))
   // if it does include it
   include $_SERVER['DOCUMENT_ROOT'] . $page . '.php';
// file doesnt exists, hakcing attempt!
    die('<h1>hacking attempt</h1>');

That isnt the best way of doing it, but is just a quick example.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users