Jump to content

php Readfile vs. Include


jerastraub

Recommended Posts

Is there any difference in server load between a php include statement verses a php readfile? Also I have another question.
I read recently the following:
[code]"There is a security issue using the "include" command as it will run just as if the browser had allowed it.

It is possible for a malicious web site to cause damage to your computer including deleting everything."
[/code]
Is this True or False?
Link to comment
https://forums.phpfreaks.com/topic/32647-php-readfile-vs-include/
Share on other sites

The readfile(...) outputs the contents of the file to the browser. If this was HTML/CSS/javascript, it would have meaning. If the file contains PHP, the php code is not parsed and is simply sent to the browser. The browser would attempt to render and display this as if it was HTML. The readfile(...) statement is not the functional equivalent of the php include(...) statement.

The first sentence in your security question is nonsense. A PHP include (and even a SSI include) is executed server side and a browser has no knowledge of or control over it.

For your second security question. A web site by it self, just serving HTML/CSS/javascript cannot harm anything on your computer. The danger comes in if a web site serves a .zip/.exe file with malicious code and you execute it or if it serves a media/document file which contains an exploit for a media player/viewer or application (Word/Excel...).

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.