Jump to content

[SOLVED] Prevent file inclusion?

Attilitus

By Attilitus
in PHP Coding Help

 Share

Recommended Posts

Jessica Advanced Member

Jessica

Posted
Posted

In the allowed files, define a constant. As the first lines of the include, check what the value of that constant is. If it's not the same, die.

 

This won't work if people have access to the actual code of your include, as then they'd see what the deal was.

Link to comment
Share on other sites
Attilitus Newbie

Attilitus

Posted
  • Author
Posted

Hm... wouldn't variables be a more secure way of going about this? I was thinking about it and constants can never be undefined, and their names/values can be easily outputted (although not unless they were able to include code in the first place, but still)

 

Wouldn't it be more secure, overall, to just use variables? Or is there some benefit to using constants?

Link to comment
Share on other sites
Jessica Advanced Member

Jessica

Posted
Posted

Because if you used a variable, say:

$check = true;

 

And before they tried to include it, they happened to use a variable called $check, and set it true, then your script would include.

They cannot change a constant, or redefine it.

 

I posted a question about constants vs variables a few days ago, look back a few pages, it helps explain the benefits of Constants.

Link to comment
Share on other sites
Attilitus Newbie

Attilitus

Posted
  • Author
Posted

Yes, but with a constant they could merely use the print constants function and discover the exact name and value of the constant being used. Variables can simply have random names (and even more securely random values) and in an encoded script would be completely unfindable provided that you use some due diligence in coding the system to prevent the variables from ever having the opportunity to be printed. With constants it is impossible to undefine them or prevent them from easily being discovered.

 

I am still looking for a method of preventing inclusion without any exceptions, by the way. I have found a small security flaw in my system that requires it, otherwise I may have to get tricky (and my trickiness is inherantly less secure than purely preventing inclusion unconditionally would be)

 

Thanks!

 

~Attilitus

Link to comment
Share on other sites
Attilitus Newbie

Attilitus

Posted
  • Author
Posted

They would be able to use the get_defined_constants() function to print all defined constants and their values. Constants cannot be undefined, unlike variables. Perhaps in a flawless script whereby it is impossible to include ANY code anywhere it would be fine to use constants, but I would prefer to easily be able to unset my variables after passing&verifying them to prevent any possibility of their values being discovered.

 

PS. (Still trying to figure out a way to prevent inclusion unconditionally...) (Not trying to be a pain, just making sure that the last post in the thread includes this request.)

 

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

You misunderstood what I was saying... The CORBIN constant wouldn't be set unless the script trying to include it set it!

 

So basically you wish to keep someone from including a file, even if they can read the file they are trying to include...

 

You could use the constant idea but md5 it...

Link to comment
Share on other sites
Attilitus Newbie

Attilitus

Posted
  • Author
Posted

Right, but the user could discover what constant is necessary to include by running the above mentioned function and then set that constant in their own file before including the file that is not allowed to be included.

 

For example, and pardon my shorthand:

 

<?php

define constant corbin=44

include file.php

?>

 

<?php (file.php)

if corbin=44 run script

 

include non-encoded file.php

?>

 

<?php (non-encoded file.php)

//user adds below code

 

get_defined_constants();

?>

 

The user now knows that in order to include file.php from another script all they need to do is first define the constant corbin to equal 44. With variables you could simply unset them after the check to prevent them from ever being outputted.

 

In a properly secured script without any user-editable files that are part of the code, the constant idea works fine. But if the user were to ever have the opportunity to edit the code after the constant was defined, it would not be secure at all.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.