11 {{ upvoteCount | shortNum }}
11 {{ upvoteCount | shortNum }}

Is this php include safe?

by LK
8 replies
Right now I'm trying to build a bunch of sites for my adsense project, but it's been a while since the last time I made a website, and I've gotten a bit rusty.
I'll be using php includes for the header and footer.
This is the piece of code I used to use, however I'm not sure if it's outdated and therefore poses a safety hazard, or if it's fine and I can go right ahead and use it.

So if one of you clever people out there could take a look and tell me how the following piece of code looks, I'd be very thankful.☆〜


PHP Code:
<?php

include('header.php');

if(!$_SERVER['QUERY_STRING']) { ?>
header and footer code is the same except for where it says 'header.php' (which for the footer would be 'footer.php' - obviously).
#include #php #safe
  • Profile picture of the author lisag
    I don't see a problem with it. What type of security concern did you have?
    What I do see a problem with is referencing $_SERVER['QUERY_STRING'] without sanitizing it first.
    Signature

    -- Lisa G

    {{ DiscussionBoard.errors[1828540].message }}
  • Profile picture of the author martinkeens
    Looks fine to me, although I usually opt for include_once instead of include.
    Signature
    Blogging Syndicate Bonus
    Martin Keens Internet Marketing
    Membership Guru Free Report
    Instant List Building Kits
    {{ DiscussionBoard.errors[1828544].message }}
  • Profile picture of the author LK
    Originally Posted by lisag View Post

    I don't see a problem with it. What type of security concern did you have?
    What I do see a problem with is referencing $_SERVER['QUERY_STRING'] without sanitizing it first.
    I'm not sure what exactly I was worried about. I read about some websites getting hacked because of some security breach in the php code, so I figured I'd be better safe than sorry. =)

    Originally Posted by martinkeens View Post

    Looks fine to me, although I usually opt for include_once instead of include.
    If I want to use include_once instead of include, I just add _once to the include already there, right? No need to add more code anywhere else?
    Signature
    LK's Adsense Experience - no shenanigans, just a simple blog~
    {{ DiscussionBoard.errors[1828614].message }}
    • Profile picture of the author wayfarer
      Originally Posted by LK View Post

      If I want to use include_once instead of include, I just add _once to the include already there, right? No need to add more code anywhere else?
      This doesn't actually make any difference to the function, and has nothing to do with security, but will throw an error if you try to do it again (include the same content twice).

      You could also use require or require_once, which will throw a fatal error if the content does not exist, or in the latter case, if you attempt to require it twice.

      Whether you use include, include_once, require, or require_once, just depends on how strict you are being with yourself and your potential to make coding errors. It is also a way of reminding yourself the nature of the content being included.

      And yes, the syntax is exactly the same as for "include"
      Signature
      I build web things, server things. I help build the startup Veenome. | Remote Programming Jobs
      {{ DiscussionBoard.errors[1829023].message }}
  • Profile picture of the author mojojuju
    Originally Posted by LK View Post

    So if one of you clever people out there could take a look and tell me how the following piece of code looks, I'd be very thankful.☆〜

    There's something else you might want to be aware of.

    A couple of questions:

    What are the contents of the file 'header.php'? And, would you want to give anybody in the world the possibility to see the contents of 'header.php'?

    As a weird example, let's say 'header.php' includes the lines:

    =============
    $link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

    $passwords = '../data/passwords.txt';
    =============

    Whatever is in 'header.php', it will never be seen in most cases. But what happens if there is a problem with the PHP module for your webserver and php files are not executed by the php interpreter?

    What often can happen is that the PHP files would be sent directly to the browser as plain text, and anybody could see that you have an include for the file 'header.php'. Then, since your server is having trouble and displaying files as plain text instead of executing them, a person could go ahead and direct their browser to 'header.php' and read that file's contents, getting whatever information you don't want them to get.

    This doesn't often happen, but under heavy load, or due to other problems, it does. You may have gone to a site before and seen, not the output you expected, but the raw PHP code that runs the site.

    For this reason, it may be good to give include files in your scripts the .inc extension and not the .php extension, and then to use .htaccess (if you're using Apache) to tell apache not to let anybody see the .inc files under any circumstances.

    You would do it like this:

    Rename header.php to header.inc

    Change the relevant include statement from:

    include('header.php');

    to

    include('header.inc');

    Then finally, put something in an .htaccess file that would return a 403 error if anybody tries to access the 'header.inc' file (or any .inc file for that matter).

    <Files ~ "\.inc$">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>
    Signature

    :)

    {{ DiscussionBoard.errors[1829688].message }}
    • Profile picture of the author LK
      Originally Posted by mojojuju View Post

      There's something else you might want to be aware of.

      A couple of questions:

      What are the contents of the file 'header.php'? And, would you want to give anybody in the world the possibility to see the contents of 'header.php'?................
      This is exactly what I was worried about, and why I asked if the php was safe. I don't know enough PHP to exactly pinpoint the problem I was concerned about, but this was exactly it.

      Turns out I don't need to be worried this time around.
      The content of my PHP files is just plain old HTML - nothing I mind the world seeing.

      Thanks for the thorough explanation. I'm gonna save it to a text file so, if I ever add more to my php files than just html, I'll know what to do =)
      Signature
      LK's Adsense Experience - no shenanigans, just a simple blog~
      {{ DiscussionBoard.errors[1831271].message }}
  • Profile picture of the author saschakimmel
    Just be careful to only rename the files to *.inc if the .htaccess rule is active, otherwise its even more unsafe than before!
    I personally never rename *.php files because my whole websites are in PHP so if PHP is not working I have far greater problems than that
    Signature

    ** Get my ViralListMachine software now for free and build your own list virally by giving away free stuff @ http://www.virallistmachinegiveaway.com **

    {{ DiscussionBoard.errors[1831257].message }}
    • Profile picture of the author LK
      Originally Posted by saschakimmel View Post

      Just be careful to only rename the files to *.inc if the .htaccess rule is active, otherwise its even more unsafe than before!
      I personally never rename *.php files because my whole websites are in PHP so if PHP is not working I have far greater problems than that
      Hahaha ya you're right.
      I'm gonna go with just .php for now, and then if I ever need to include sensitive information in the header file, I'll take it from there..
      Signature
      LK's Adsense Experience - no shenanigans, just a simple blog~
      {{ DiscussionBoard.errors[1831278].message }}

Trending Topics