OldTimer Posted March 20, 2005 Posted March 20, 2005 Hi, Is this safe (secure to use) ? <?php include ("includes/file.php"); ?> Greg Quote
TCH-Bruce Posted March 20, 2005 Posted March 20, 2005 Yes, that would be safe. If a person views the source they will see the content of the include and not the path to the include file. Quote
borfast Posted March 20, 2005 Posted March 20, 2005 Yes, Greg. That's safe. The big problem with includes (the one you probably heard of and made you post this question ) is if you use variables in your include() or require() statements and register_globals is turned on. for example, imagine someone goes to your site and types an extra parameter in the URL, like http://******/index.php?file=/etc/passwd and inside index.php you have something like include($file)... Since register globals is turned on, that expression would automatically be converted into include("/etc/passwd") and... well, I guess you can imagine the rest Quote
carbonize Posted March 20, 2005 Posted March 20, 2005 You are saying you have register globals turned on on your servers? Quote
Guest helpbytes Posted March 20, 2005 Posted March 20, 2005 (edited) You are saying you have register globals turned on on your servers? <{POST_SNAPBACK}> It's turned on the UK1 server... The safe way to get variables is to use: $_POST or $_GET and getenv to get environment variables, you must also check all input when using it in include or file opening etc... and if you're using it as part of an SQL Query... You can turn of register globals in your your htaccess too: php_flag register_globals off Edited March 20, 2005 by helpbytes Quote
carbonize Posted March 20, 2005 Posted March 20, 2005 Yup I always use $_POST, $_GET etc. Had problem with a certain previous host that Helpbytes has just had the sense to leave when I was just learning PHP. I was using includes o display my site and someone showed me most of my secure files :| Quote
OldTimer Posted March 20, 2005 Author Posted March 20, 2005 Thanks Guys, So much to learn and be safe at the time. This php is all somewhat new to me. Greg Quote
borfast Posted March 21, 2005 Posted March 21, 2005 carbonize, yes, register_globals is turned on on TCH's servers. Is it a bad thing? Yes and no. If you don't know how to write secure PHP code, you might end up doing exactly what I described above and get yourself into trouble. On the other hand, there are lots of scripts out there that use global variables like this and many TCH customers use them, so turning register_globals off would break those scripts, leaving many customers without an alternative. Do I agree with this? As a programming and security geek, no, I don't. You want to write PHP scripts? Learn to do it the right way and use $_POST, $_GET, etc. On the other hand, from a web hosting point of view, yes, I agree. It is important to keep your customers' sites working and suddenly breaking their sites is not a nice thing to do. In the end, since this is a hosting company and not my personal hosting playground, register_globals must be kept on to ensure that clients have their sites running smoothly. Quote
carbonize Posted March 21, 2005 Posted March 21, 2005 Most scripts these days though expect register_globals to be turned off and so code around it. Only older scripts may still use them in which case I would, as a host, recommend updating them. As for home written scripts they should be politely educated in the art of making secure scripts. Quote
Guest helpbytes Posted March 21, 2005 Posted March 21, 2005 PHP by default is off now, for example, when I first wrote PHP, i relied on it being on, my webhost suddenly updated his servers, and he forgot to enable them, breaking all the websites. I wasn't suggesting TCH turn register_globals off, just it can be customised in htaccess on a per user basis, if someone feels the need to be strict with themselves. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.