furn355 Posted June 9, 2010 Share Posted June 9, 2010 Okay so the rumour is include () is not secure. What are the alternatives I should be using? and why? Quote Link to comment Share on other sites More sharing options...
iSOS Posted June 9, 2010 Share Posted June 9, 2010 "include()" is not in-secure. 0.o Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 9, 2010 Share Posted June 9, 2010 I'm sorry where did someone say include isn't secure? Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 9, 2010 Share Posted June 9, 2010 It's only insecure if you're allowing user input to include a page, in which case, there is a number of ways to verify the page is valid.. 1) Switches.. (Quick and easy for small numbers of pages) if( isset( $_GET['page'] ) ) { switch( $_GET['page'] ) { case 'page1': include( 'path/to/page1.php' ); break; case 'page2': include( 'path/to/page2.php' ); break; default: include( 'index.php' ); } } 2) List the valid pages in an array... if( isset( $_GET['page'] ) ) { $pages = array( 'page1', 'page2', 'page3' ); if( in_array( $_GET['page'], $pages ){ include( $_GET['page'] .'.php' ); } else { include( 'index.php' ); } } 3) The file_exists way.. Put all pages that are allowed to be included by user input into a seperate dir.. if( isset( $_GET['page'] ) ) { if( file_exists( 'path/to/allowed/pages/'. $_GET['pages'] .'.php' ) { include( 'path/to/allowed/pages/'. $_GET['page'] .'.php' ); } else { include( 'index.php' ); } } Does this clear up your confusion? Includes/Requires are a very important part of PHP. As I said, they're only insecure if you do not validate a page which is being called in via user input, or by placing the page to include as a param in the web address. (example.com?page=pagename) :thumbup: Quote Link to comment Share on other sites More sharing options...
Dayo Posted June 9, 2010 Share Posted June 9, 2010 include is secure unless you do something like include $_GET['HACKME'].'.php'; Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 9, 2010 Share Posted June 9, 2010 require is the only alternative i think Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 9, 2010 Share Posted June 9, 2010 require is the only alternative i think They're the same and share the same need of user input validation.. The only difference is that Require() spits out an E_ERROR is the file doesn't exist. Both of them are only insecure if you're allowing user input to include a page and you fail to validate them. Quote Link to comment Share on other sites More sharing options...
furn355 Posted June 9, 2010 Author Share Posted June 9, 2010 It was too my understanding, if someone is using say : include "globals.php"; I could make a text file which included the insides of global.php on another server which would also contain a function of some variety to achieve my means, then run something like : http://domain/index.php?page=http://domain2/code.txt where his script would then run? :S No? Quote Link to comment Share on other sites More sharing options...
LordDan Posted June 9, 2010 Share Posted June 9, 2010 It was too my understanding, if someone is using say : include "globals.php"; I could make a text file which included the insides of global.php on another server which would also contain a function of some variety to achieve my means, then run something like : http://domain/index.php?page=http://domain2/code.txt where his script would then run? :S No? If I remember correctly, this can only happen if you have something like "allow_url_include" or some similar setting in PHP INI enabled, by default, it should be disabled for security If you wish to test, try and include a page on your own server but include the full address "http://www.yoursite.com/globals.php" you "should" get something like Warning: include() [function.include]: http:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\xampp\htdocs\temp\prev0~.php on line 9 Warning: include([url]http://www.google.com/globals.php[/url]) [function.include]: failed to open stream: no suitable wrapper could be found in C:\xampp\htdocs\temp\prev0~.php on line 9 Warning: include() [function.include]: Failed opening 'http://www.google.com/globals.php' for inclusion (include_path='.;C:\xampp\php\PEAR') in C:\xampp\htdocs\temp\prev0~.php on line 9 Tested on google.. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 9, 2010 Share Posted June 9, 2010 i use something very like this if( isset( $_GET['page'] ) ) { $pages = array( 'page1', 'page2', 'page3' ); if( in_array( $_GET['page'], $pages ){ include( $_GET['page'] .'.php' ); } else { include( 'index.php' ); } but mines more like $file_array = array( 'files/file1.php', 'files/file2.php' ); $_GET['page'] = ( isset($_GET['page']) && in_array($_GET['page'], $file_array) ) ? basename(str_replace('.php', '', $_GET['page'])) : 'file1' ; # File Inclusion (Start) foreach ( $file_array as $value) { if ( $_GET['page'] == $value ) { include_once (DIRNAME(__FILE__) . '/' . $value); } } # File Inclusion (End) This may not work i edited it since im not giving out my entire index.php file ( basically 50 lines in my index file). Quote Link to comment Share on other sites More sharing options...
furn355 Posted June 9, 2010 Author Share Posted June 9, 2010 Its given me something to think about, thanks zero & lord dan Quote Link to comment Share on other sites More sharing options...
DigitalGerm Posted June 9, 2010 Share Posted June 9, 2010 Okay so we all know include is not secure. I didn't know that ? With $_GET, I use the switch statement that LordDan provided simple to add new rules and actions. I don't think you can Include a file from another server simply using include and http:// ... because the server will try to find it locally. Quote Link to comment Share on other sites More sharing options...
Guest Posted June 10, 2010 Share Posted June 10, 2010 i use something very like this if( isset( $_GET['page'] ) ) { $pages = array( 'page1', 'page2', 'page3' ); if( in_array( $_GET['page'], $pages ){ include( $_GET['page'] .'.php' ); } else { include( 'index.php' ); } but mines more like $file_array = array( 'files/file1.php', 'files/file2.php' ); $_GET['page'] = ( isset($_GET['page']) && in_array($_GET['page'], $file_array) ) ? basename(str_replace('.php', '', $_GET['page'])) : 'file1' ; # File Inclusion (Start) foreach ( $file_array as $value) { if ( $_GET['page'] == $value ) { include_once (DIRNAME(__FILE__) . '/' . $value); } } # File Inclusion (End) This may not work i edited it since im not giving out my entire index.php file ( basically 50 lines in my index file). Zero Again? :P no need for the foreach() -.- Here maybe? :P $pages = array ( 'Explore' => 'city', 'Home' => 'index' ); $keys = array_keys($pages); $page = isset($_GET['page']) && is_string($_GET['page']) && preg_match("`^((". implode(")|(", $keys) ."))$`ims", $_GET['page']) ? strtolower($_GET['page']) : array_shift($keys); include dirname(__FILE__) .'/'. $pages[$page] .'.php'; :O? ); Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 10, 2010 Share Posted June 10, 2010 good point i think im obsessed with foreach lol Mine is a little different to what i posted anyway i do use key and value in the array because i use the key for the title... anyways lol Quote Link to comment Share on other sites More sharing options...
Dillion & Amanda 4 Lif Posted June 13, 2010 Share Posted June 13, 2010 Ahh because if you didnt, based on your layout you'd have to go to every single page/function and add a title, but this way it does it for you @zero Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 13, 2010 Share Posted June 13, 2010 my array is a little more complex $example_array( 'file1' => 'file1.php', 'file2' => 'file2.php'' ); then later i use something similar to what i coded up a long time ago on here to grab the title name from page _GET then strip any unwanted characters and put into the right places. It's actually quite an amazing little setup. Quote Link to comment Share on other sites More sharing options...
Diesl Posted June 21, 2010 Share Posted June 21, 2010 Just wondering, why are people using include(DIRNAME(__FILE__) . '/whateverpage.php'); instead of the default include "whateverpage.php"; ? I've seen it on a quite a few mods and I'm not sure of its reasoning. Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted June 21, 2010 Share Posted June 21, 2010 I use it as it looks cleaner :), Its pretty secure too? I'm not sure the story behind it, jst what I was told basically Quote Link to comment Share on other sites More sharing options...
Zeggy Posted June 21, 2010 Share Posted June 21, 2010 You use __FILE__ to help in this kind of situation: You call file1.php, which has a line to include 'subfolder/file2.php'. file2.php also has a line to include 'file3.php'. Now, where will PHP look for file3.php? In the root folder, since that is where file1.php is, or inside subfolder/, since that is where file2.php is? When you have lots of includes in many different folders, this can get very confusing and you could make many mistakes, or even make your entire file system unusable in your script. You can be consistent with includes if you use DIRNAME(__FILE__): it will always include the file from the same folder as the included file. So in this situation, it will include 'subfolder/file3.php'. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.