Safe Include

Add Comment | Related Links | TrackBack
Related Content

Safe Include

PHP's include function is really handy. You can use it to include any file content directly into your PHP page. But it can be a huge security vulnerability. You see, you can also include content from any web page using the standard URL. This means you can include content from another site. In turn, it means if you are not careful, a hacker could exploit it by executing their PHP scripts on your server using your include function. It's too easy to write the following lines:

  $file = $_GET ["file"];
  include ($file);

A hacker can easily type in an URL and execute a PHP script on your server. The solution? Use a safer include function, such as the following:

  function safeInclude ($filename)
  {
    if (file_exists ($filename))
    {
      include ($filename);
    }
  }

You can go one step further by stripping out the URL:

  $filename = ereg_replace ("http:\/\/.*\/", "", $filename);

Chieh Cheng
Wed, 06 Dec 2006 00:19:48 -0800

Add Comment | Related Links | TrackBack
Related Content

Did your message disappear? Read the Forums FAQ.

Add Comment

Spam Control | * indicates required field

TrackBack

TrackBack only accepted from WebSite-X Suite web sites. Do not submit TrackBacks from other sites.

Send Ping | TrackBack URL | Spam Control

No TrackBacks yet. TrackBack can be used to link this thread to your weblog, or link your weblog to this thread. In addition, TrackBack can be used as a form of remote commenting. Rather than posting the comment directly on this thread, you can posts it on your own weblog. Then have your weblog sends a TrackBack ping to the TrackBack URL, so that your post would show up here.

Messages, files, and images copyright by respective owners.

Fun for Photographers

Get Our

Memecoins!