Jump to content


Photo

PHP INCLUDE CODE-SECURITY ADVICE PLEASE


  • Please log in to reply
4 replies to this topic

#1 flashback

flashback
  • New Members
  • Pip
  • Newbie
  • 9 posts

Posted 22 July 2006 - 10:37 PM

<?php
if ($_REQUEST['id'] == "") {
  include "news.html";
}
else {
  include $_REQUEST['id'].".html";
}
?>


how do I secure this code so people can't load pages outside from my server

some guy tried to r57.txt me and pulled my info up..

thanks

#2 Branden Wagner

Branden Wagner
  • Members
  • PipPipPip
  • Advanced Member
  • 111 posts

Posted 22 July 2006 - 10:40 PM

they way i do it is by folder

include("includes/". $_REQUEST['file']);

that way worse comes to worse he pulled up a public file...
in the includes directory i only put files that ANYONE can see



#3 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 22 July 2006 - 10:54 PM

I don't know if I'm supposed to mention the competion here, but the best page I ever found on php include security is here:

http://www.phpbuilde...php3?id=1018208

--read the replies at the bottom of the page

#4 JaGeK

JaGeK
  • Members
  • PipPip
  • Member
  • 20 posts
  • LocationNRW, Germany

Posted 22 July 2006 - 10:54 PM

they way i do it is by folder

include("includes/". $_REQUEST['file']);


This doesn't make any sense, if you don't use a function like basename(). Otherwise the "hacker" can still put something like file=../../top.secret in the request data and access more or less everything the webserver user is allowed to.

Better take an array with elements containing the allowed files, something like:

<?php
$includes = array(
              'news' => 'news.html',
              'home' => 'home.html',
              //      ...
            );
                      
if (!empty($_GET['id']) && isset($includes[$_GET['id']])) {
    $include = $_GET['id'];
} else {
    $include = 'news';
}

include $includes[$include];
?>


#5 number9dream

number9dream
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 22 July 2006 - 11:07 PM

Maybe not the most helpful advice, but never trust user input!

$_REQUEST is supplied directly by the user, and so it is pure madness to call files based on this input.

I would suggest that you need to rethink your structure from scratch, if security is something you are concerned about.

At a bare minimum,you need to analyse (and sanitise) this data in order that it can only match pages that you intend to be public.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users