/    Sign up×
Community /Pin to ProfileBookmark

Security of included files

Copy linkTweet thisAlerts:
Nov 28.2005

I have files which are included in my PHP code. How I know for sure that it can not be read its content?

I have read that [B]I should never include, require or otherwise open a file based on user input without checking it first.[/B]

to post a comment
PHP

17 Comments(s)

Copy linkTweet thisAlerts:
@SheldonNov 28.2005 — you could store them an a non public directry

but with the second statement, how can a user decide to include a file?

You set all files that can be included, remember php is run on the SERVER SIDE.

What is your profession Toplisek?
Copy linkTweet thisAlerts:
@toplisekauthorNov 30.2005 — There was some aricle by Dave Clark PHP Security Mistakes on www.devshed.com

(date 2004-06-09).

Item number 1.

So, there is quoted that should be:

if (isset ($page))

{

include ($page);

}
Copy linkTweet thisAlerts:
@SheldonNov 30.2005 — Yes, What are you saying by that?

What point or question are you asking?


That is not deffinitly a secutriy issue.

To continue on your emaples by showing it can be secure.
[code=php]
<?php
//a link to your page
// <a href="/index.php?page=toplisek">View info about Toplisek</a>

//and the code to return from that query string.
$page = $_GET['action'];
//so $page = "toplisek"

if (isset ($page)) // i.e. is the page refered to by the query string
{
include ($page); //it is! so include the page
} // in this case it will call the main page from "/toplisek/index.html/php
//of course to close any security holes you would use an else
else
{
print 'Page not found';
}

?>
[/code]

And you didnt answer my question in the first post?
Copy linkTweet thisAlerts:
@NogDogNov 30.2005 — If you just include any file the user asks for, then yes, it could be a security hole (e.g.: include "/usr/passwd/" would not be a good idea). In such a case, you either need to check the requested file against a list of allowed files before including it or refusing the request, or perhaps only allowing requests from specific directories.
Copy linkTweet thisAlerts:
@bokehNov 30.2005 — open a file based on user input without checking it first.[/QUOTE]What are you doing that would necessitate files to be opened based on user input?
Copy linkTweet thisAlerts:
@toplisekauthorNov 30.2005 — I'm checking all mistakes that can be done. Thanks to all replies.

Sheldon, I'm beginner coder for PHP. My profession is not computer science.

Bokeh I just found example for common mistakes.
Copy linkTweet thisAlerts:
@bokehNov 30.2005 — Bokeh I just found example for common mistakes.[/QUOTE]Have you got a live website where one can view your work?
Copy linkTweet thisAlerts:
@toplisekauthorNov 30.2005 — Dear Bokeh,

I hope it will be in one year. But I will start with simple pages. That is the reason why I send questions.
Copy linkTweet thisAlerts:
@SheldonNov 30.2005 — Sheldon, I'm beginner coder for PHP. My profession is not computer science.[/quote] No offence just wondering.

If you want a decent way to learn, lern direct from the source, http://php.net & http://zend.com/developers.php
Copy linkTweet thisAlerts:
@toplisekauthorDec 01.2005 — Thanks Sheldon. You are very kind. I have worked many years with HTML and now PHP.

If you want to learn you have to do it practical with coding not only manual.
Copy linkTweet thisAlerts:
@SheldonDec 01.2005 — Thanks Sheldon. You are very kind. I have worked many years with HTML and now PHP.

If you want to learn you have to do it practical with coding not only manual.[/QUOTE]

Good on you, If yoiu have worked many years with html your doing better than me, I only started a couple of years ago.

Have you got a live website where one can view your work?I hope it will be in one year. But I will start with simple pages. That is the reason why I send questions.[/quote][/quote]
Do you have many examples of your practical coding? If you have been working with html for so long you must have an online example.
Copy linkTweet thisAlerts:
@toplisekauthorDec 01.2005 — I can not show public my work. Sorry Sheldon. I have worked already on my site 3 months.
Copy linkTweet thisAlerts:
@bokehDec 01.2005 — I can not show public my work. Sorry Sheldon. I have worked already on my site 3 months.[/QUOTE]What's the big secret? He is only asking to have a look at a website you have built.
Copy linkTweet thisAlerts:
@SheldonDec 01.2005 — if you go to http://www.slweb.co.nz/portfolio.php you can see mine, i can even give you a few address that arnt on there, its no big secret. In fact thats why i have learn all this, to see and show what i can do.
Copy linkTweet thisAlerts:
@bokehDec 01.2005 — no big secret.[/QUOTE]11pm and not in the pub. Is your wallet empty?
Copy linkTweet thisAlerts:
@SheldonDec 01.2005 — Juat got home, bit blury, big night tomorrow, Am shaving off the beard. If i do i get $200 bar tab, Ill post a photo of before and after tomorroe morning.

Iwas only there from 4 till 10:1 5
Copy linkTweet thisAlerts:
@SheldonDec 01.2005 — I have posted the Photo for all interested, [url=http://www.webdeveloper.com/forum/showthread.php?t=87148]Visit Post[/url].
×

Success!

Help @toplisek spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...