PHP Security: GET - include
You often find websites with serious but simple to fix security flaws. In this series we will talk about this. This time about GET - include problems.
I will explain how to make a GET -> Include system. In other words, think about an url like: index.php?page=links. The GET variable, in this case "page" will contain the string "links". And after people got this value, they write this kind of line into their page:
Code:
Or something similar. But in the end, they include the page without checking if it exists or any other safety check.
Much people out there use this, while this is very dangerous for your website. I saw many websites on the web that were hacked because of this system. (or cracked, whatever you want to call it)
Now you want to know why this is dangerous right? Well, it is very dangerous because php can include pages from another server! So php could also include a page from lets say, google.com. And if it will find a php source, it will execute it.
Now don't think everybody can steal your php code, no thats not true. Php can only read other code that's visible for the visitors. Take the following example.
PHP:
Open the source of this website, and you will notice that there is php code you can read.
So lets say, i have a dangerous php script. And i know a website which can read my code? The following url could read it: index.php?page=http://aserver.com/dangerous. (i didnt placed .php behind it, because as you can see in the first php example code, the script pops .php to the end)
My page would be generated by that server, and you can imagine what that could do to a server right?
The remedy!
There are quite a few things that could help destroying this security flaw on your server. I will handle three of them.
First is "allow_url_fopen". This is something you set in your php configuration file. When this is set on, php will be able to read scripts from another server. When it's off, php can only read files from the server it's installed on. This is a nice remedy for the problem, but i do it a bit different. What if you got a script that needs information from another server, and you need to include it? (doesn't happen often, but still keep it in mind)
Second in my list is "file_exists". You will use this in combination with an "if" statement. This will check if the file exists on the local server. It is not able to check if files from another server exists. So this could be quite a good remedy! I will show you an example below:
Code:
This is already a far better solution in my opinion.
But on this way people can open all the php documents in the folder. You may dislike this, so lets do it again a bit different.
A very simple, but also very effective way is to use an if statement. There is not much to discuss about, so lets see an example:
Code:
This may not be the most pretty way to solve the problem. But it is very effective, and everyone with basic knowledge of php understands this.
Page navigation: 1
Monthly i will write a turorial about such security flaws.
People seriously underestimate the damage this simple flaw could do. Even more experienced PHP writers sometimes dont know about this!
For example, i know a boy over the internet who's writing his own Open Source forum software. He often askes me to help him solve a problem. But his thinking is very good, and his code really is starting to look quite professional.
Even though, he asked me 4 days ago about adding slashes before inserting a string thats written by a forum user that could register and write what he wants. After 9 months of coding, he finally learned about a serious security flaw called SQL Injection.
And i have much more examples, but they will come later. :)
Nice tutorial :D Although switch .. case would be more appropriate here ;)
And about the site itself, I don't really get the font. it has Serifs, and that doesn't really stroke with the rest of the design, wich is clean and slick.
The general idea was explaining how dangerous such actions can be, and how to solve them. And if/ifelse/else is beter known with PHP beginners, so i chose that one.
About the font, thanks for the tip. I actualy do like this font as the way it is, but i will try to use some other fonts, and maybe i will find a nicer one. :)
Hi. Sorry about my english.
Mi site was hacked in that way and I trying to fix it now.
I just read that an easy solution is to use:
<?php
include './'.$_GET['page'].'php';
?>
What do you think?
Thanks in advance.
Well, it will work. But i still advice you to use another type of security with this.
It will be allot more save. But like this it would still be able to include every file in the folder (or lower) which could be dangerous. Maybe not in your site, but you should always keep it in mind. For other websites may not allow some people to load some files. (first need http auth)
It will be good practise to learn it on a 100% good way. :)
Good luck.
I'm using a similar system to check if the page which is trying to be visited is allowed. Maybe it can be of use to someone else. Using an array with the values (alllowed pages) makes it a little more abstract, and easier to code, especially when your checking on a lot of pages.
Usually I define the array in my settings.php, and include it into the page on which it's supposed to be used.
<?php
$allowedPages = array('home', 'links', 'about');
for ($i =0; $i < sizeof($allowedPages); $i++) {
if ($_GET['page'] == $allowedPAges[$i])
include $_GET['page'] . '.php';
} else {
echo "Page not found or allowed.";
}
?>
Just my 2 cents ;)
Also a nice way of handling it! But, I would use the in_array() function when thinking of an array with the allowed pages. That should also work very nice, and costs less code. :)
Page navigation: 1
You are not logged in. To reply to this tutorial, please login. If you dont have an account yet, you can register here.