Include() Via URL And Security
I have written an web based application that uses a header and footer files to provide a co branded look for customers.
every page is like this example
include customer's header
print generated content
include customer's footer
Here is the problem. I want to let users keep the header and footer files on their webservers so they can edit them and not have to bother me when they make changes.
How do I ensure that they are not going to pass me a file that contains malecious code.
for example if the header file is like this, bad things would happen
<html>
<body>
Stuff
<?
exec (cat /etc/passwd)
?>
</html>
I want to escape all php code that is in the include file because the include should only have html in it.
Should I use fopen and find/replace the php code.
The two important considerations for the solution are speed and security.
The header and footer are included on every page and I do not want something that is going to slow down the process very much. Currently pages load very quickly using a regular include via URL.
View Complete Forum Thread with Replies
Related Forum Messages:
Include Security
I noticed that any user working with PHP can include any file, regardless of what account it's under. Is this a security risk? If so, how can I fix it? Example: Two accounts: account1, account2 account1 has a php script on: /home/account1/public_html/script.php that is able to include a file such as include("/home/account2/public_html/random.php"); with success.
View Replies !
Include($file); A Little Question For Security
If I used include($file); in my script but the value of $file is only givin via the URL such as blabla.com?file=steve.php Now wouldn't this be a "nono"? Since all I would have to do is "blabla.com?file=./whatever" to get some files that shouldn't be viewable? I was thinking about defining my variables within the script to prevent this sort of thing which would be a little work or have the script read files from only a certain directory so when you try to hack my page it won't work! What I mean is "blabla.com?file=steve.php" equals "okay" but "blabla.com?file=./././whatever" equal "error"?
View Replies !
Include Security -what Works, What Dont?
comment on the following methods of preventing cross site scripting and/or other nastiness: 1: $pages = array('home','contact','about','links' ); // could also build this array with readdir('MySafeDir') ?? if( in_array($_GET['page'], $pages) ) { include $_GET['page'].".php";} else {die("Nice Try."); } 2: include "my_prefix_".$_GET['page'].".php"; 3: include "my_safe_dir/".$_GET['page'].".php"; 4: include_path=".:/myIncludes"; include $_GET['page'].".php";
View Replies !
Include Header Browser Security Warning
I've included a header file through require_once(). The include file calls external img images from external domains (through a regular http://) The issue is that, the page that uses the header file throws up a security warning when accessed through a httpS url. This is the warning in IE: "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?" Is there any possible way to get the script to stop displaying this warning when accessed through httpS?
View Replies !
Security Issues :: $_GET Data Unchecked In An Include Statement
I recently discovered a security hole on my server where one of my clients was using $_GET data unchecked in an include statement. Now I know this is incredibly bad programming technique but I have quite a few sites on this server. Rather than trawling through all my clients code, is there a configuration setting that affects includes and basically disallows any script from including files from outside the server? Does safe_mode do this?
View Replies !
Fatal Error: Main() [function.main]: Security Alert: Include Filename Is An URL In Unknown On Line 0
I just installed CRELoaded (oscommerce fork) on my server and all work fine except that I have a little message at the bottom of the main page : Fatal error: main() [function.main]: Security alert: Include filename is an URL in Unknown on line 0 I made some research and all I have found is to be sure those value are put in the php.ini file safe_mode = Off allow_url_fopen = On I'm running on: Apache2 php -ver PHP 4.4.0-4 (cli) (built: Oct 20 2005 16:42:12) How may I correct this bug.
View Replies !
PHP Security - Some Common Security Pitfalls That Are Inherent In The Language?
I'm working on developing an application in PHP4/MySQL and I've got very little experience with either. Most of my work is in ASP/Access and compiled programs. The app that I'm developing doesn't need to be perfectly secure, but I want to avoid common pitfalls, and I have no idea where to start. From your experience, what are some common security pitfalls that are inherent in the language? I shouldn't have any trouble with program logic being an issue, just stuff that may be PHP specific. (Like the User being able to put anything that they'd like in the QueryString and having that show up as a variable in the script).
View Replies !
How Would Php Security Compare To Java Security?
I just want to know how would php security compare to java security? Its because that me and my officemate are developing a site which would handle confidential documents and we just cant decide on whether we should use php or java. Please do post you opinions regarding this and it would even be better if you could also post links to write-ups about php security.
View Replies !
Security - What Security Dangers Should I Be Aware Of?
I am quite new to PHP but I have managed to write a simple page create script. So far the script does not have any user input. It does open/write files and it also accesses my MySQL database. No variables are passed from script to script either. My question is, what security dangers should I be aware of? My other question is, can you download a php file and view the contents?
View Replies !
Search Script - Warning: Include(usr/local/lib/php/index.php) [function.include]: Failed To Open Stream:
A while ago I installed a script. It all worked just fine untill my host upgraded the servers. Since that moment I have an error message when I try to do a search. This is the error: Warning: include(usr/local/lib/php/index.php) [function.include]: failed to open stream: No such file or directory in /var/www/g28894/planthunteronline.com/HTML/directory/links.php on line 13 Warning: include() [function.include]: Failed opening 'usr/local/lib/php/index.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/g28894/planthunteronline.com/HTML/directory/links.php on line 13 Below I have added a part the script that may cause the problem (the complete script is to large to post). Please keep in mind that I am not a php programmer and I don't understand anything about it. I am just looking for a part of code that can solve the problem. Code:
View Replies !
Include(menu.inc) [function.include]: Failed To Open Stream:
I have been working on a website for a few days and after uploading it to a temporary host because I hadn't had any errors testing it by myself i got this error Warning: include(menu.inc) [function.include]: failed to open stream: Too many open files in /home/zendurl/public_html/d/diagrams/Search3.php on line 28.
View Replies !
Include Or Virtual Include: Neither Work For Subfolders
my includes files are all in my /ssi directory. I have many subfolders that call those includes files. Let's say I have a file like this: /news/world/asia/thailand/index.php In order to (relatively) call a file in the /ssi directory I have to use the following code: <?php include ("../../../../ssi/html-lang.htm"); ?> This is ridiculous. Everytime I make a new subfolder I don't want to have to add "../" to it. I heard about "virtual" includes but I'm not sure the syntax I'm using is correct (all I do is put 'virtual' after 'include'). Is there something I'm missing? Do I have to change the .htacess file? Help me please I'm going crazy. I don't want to resort to absolute referencing...
View Replies !
Include (Change Include File Within The Page)
I am working on a website that requires the use of include files, i have the include html files ready and can properly show them in the page but I am looking for a way to have a menu on the page where the user can choose which file he would like to read, I dont want to have multiple pages I would like to just have the actual php include code change when the user picks the file he would like to read. Anyone know of a way to do this?
View Replies !
Using Include() To Include A Remote Function
This is an issue that's been bothering me for a while. When I use include() or require() to include a page that contains a function, the function will not operate. However, if I take that function and put it directly into the page, it works. This seems to hold true for any function that I attempt to insert/define using include(), even when I make sure that all required variables are defined on the page beforehand. Does anyone know why this would happen or how to work around it?
View Replies !
Include A Scalar In My Include Argument?
I set a pretty global variable ($base) that defines the site root. Very useful with my includes. My only problem is using this URL prefix in include() arguments. Example: <?php $base = '/mybaseurl/'; include($base . 'includes/header.php'); ?> I've tried smushing $base in there in many different ways, and I ALWAYS get errors. How can I fit $base into this sort of statement?
View Replies !
Error Says Can't See Include File, Yet Executes Some Code On Include File
I am using an include_once() command to include a file that sits a level above the file view.php. when the code is run, I have an error as follows: Warning: include_once(../common.php) [function.include-once]: failed to open stream: No such file or directory in C:Program Files.. view.php on line 2 Warning: include_once() [function.include]: Failed opening '../ common.php' for inclusion (include_path='.;C:Program Filesxamppphp pear') in C:Program Files...view.php on line 2 The include command is simply: include_once(../common.php) - the '../' before the 'common.php' to indicate a level above the current file level. Is this right? I could not find a resource to confirm this. The strange thing is that while the error seems to imply that the calling file, view.php cannot 'see' the common.php file, other functions called from the 'common.php' file executes correctly and on the same calling file/page (view.php). Appears to the a double take - quite confusing -
View Replies !
How Does The "./" Part Of The Include Affect The Ability To Include?
I'm working with a script written by someone else, in which all of their includes are written as: include("./file.php"); I'm currently trying to include these files into other files, and am getting "failed to open required file" errors. I do NOT want to go through and modify all these files to remove the "./" part of the includes (which I understand means the current root directory, yes?). I've tried setting the include path using set_include_path, but it's still saying it can't find the files. If I'm setting the full directory path with set_include_path, how does the "./" part of the include affect the ability to include? Any help or suggestions?
View Replies !
From SSI Include To PHP3 Include
Im trying to convert my pages to php and have a problem, how do I change from SSI include (.shtml) to PHP include (.php3) so that I still can have the last line in my script, (?start=11&end=15 after the .php3) I have tried this: <?php include ("ssi-top10-15.shtml?start=11&end=15") ?> and it didnt work, I used to have it like this: <!--#include virtual="ssi-top15-25.shtml?start=16&end=30" --> This works, but it leaves out the scipt part: <?php include ("ssi-top10-15.shtml") ?>
View Replies !
Include Data In An 'include'
i am storing a pathe to a counter file in my db in my current 'footer.php' file i have an include tag that tells where the counter.php file is: <?php include_once("/home/.sites/123/site19/web/siteStats/counter.php");?> this hard coded detail works perfecty now i am storing this counter.php server path in the site db and i need to pull this data into the include_once to be path detail above this tag shows the raw data on footer <?php $db->sp("counter_path")?> how do i get this "counter_path" data into the 'include' tag?
View Replies !
Can't Include 'http...foo.php', But Can Include 'http...foo.txt'
This seems weird, but when I use the following code, include 'http://www.foo.com/includes.php' includedfunction(); I am told that it is a call to an undefined function, but 'includedfunction' is on the server. the following includes work fine, and the run the called function with no trouble: include 'http://www.foo.com/includes.phtml' include 'http://www.foo.com/includes.txt' all three include.php,.phtml & .txt are on the server and are exactly identical. I am running php version 4.1.1.
View Replies !
PHP And Security??
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with. Here is my current thought. If I have a php script in a public html fodler named index.php3 how secure is this if at all. Say I have a line like: MySql_pconnect("host","account","passowrd"); How easy is it for people to get the host,account,password.
View Replies !
Security
For security reasons I want to know more about (1)where session store its info and (2)what "single sign on" is. Does anybody know any articles about these subjects, or does anyone know the answers to these 2 questions?
View Replies !
PDF Security
This is where the security problem is POSTED Is there anything we could server side? In the meanwhile I am turning off on each client's domain the user PDF uploading capability (where it is allowed) and restrict to the domain admin side that capability.
View Replies !
Security In Php
I'm doing ok for a newbie in php, but i just have a few questions as far as security goes. i am actually a java programmer, so from my experience with an object oriented language i would like to use encapsulation and other methods used in java with php for example i would like to make a php page that handles my database connection and has a whole lot of functions that i can call as i need them instead of re-coding the connection each time. i know that i can use 'require('****.php')' and 'include('xxx.php')' to get access to the code in xxx.php but can i extend and override the functions in xxx.php and is it safe to connect to a database in this way? i also wanted to know if it more secure to put a php script in the same web page or to make a page that contains the script and another html page that uses a form to goto the the php page? and finally i just want to know if anyone knows of any good reading material on the topic of intergrating java with php (except the php manual) ....
View Replies !
PHP Security
I am fairly new to the php scene but have managed to learn quite a bit from you folks and other resources on the web. I have developed a few scripts that actually work. LOL. I ran across a post on here mentioning Chris Shiflett and took a trip over to his site. He has some intriguing articles on the security of php scripts. However, he doesn't get into much detail as it would seem he writes for a more advanced crowd. Anyway, what I am looking for now is more information on securing these scripts. Know a good book? Maybe a good website? By all means, let me know!
View Replies !
WS-Security
I am currently using NuSOAP to create a web service, but I'd like to use WS-Security. AFAIK, NuSOAP doesn't support this. Is there anything else for PHP I can use that does implement WS-Security?
View Replies !
Security: SSL And Other
i got a few questions here: a) With sessions is it worth the code hastle to hash the session file before any writing or reading to be done. to check that the data is valid ? b) Does anyone know any basic introductions to SSL as I want to use it as its most effective against session hijacking and other attacks.
View Replies !
PDF Security?
I have a portal secured through php scripts. I want to have a pdf document online. Is there a way to secure a pdf document though php? If not how else would i do that?
View Replies !
.inc Security
I'm trying to start learning PHP security and recently read this: Don't store includes under document root. The only resources you should store under document root are those that must be accessible via URL. Making anything else available to the public is an unnecessary risk. If you must: <Files ~ ".inc$"> Order allow,deny Deny from all </Files> If I can't install .inc files under my root, why would a related directory be any more secure? Couldn't the user, if they knew enough to search the .inc path to begin with, follow the second .inc path? Sorry if this is obvious and I'm missing the obvious.
View Replies !
Ip Security
what i am trying to do is when u go to vote to check ur ip based upon a subid and compare that to the remote address to prevent double votes. here is the coding. PHP Code: /* BEGIN ANTI CHEATING VERIFICATION PROTOCAL */ $sql = "SELECT * FROM voted WHERE subid = $subid"; $r = mysql_query($sql) or die('Error, query failed'); $arr = mysql_fetch_array($r);          $ip = $arr['ip_address'];          if ($ip = $REMOTE_ADDR) {                   echo "<p align=center  class=contest_small>SORRY YOU HAVE ALREADY VOTED";                   exit;          } /*END ANTI CHEATING PROTOCAL */
View Replies !
CSS, PHP And Security
I am thinking about opening a web site which will allow people to register and then have direct access to a stylesheet in order to brand their page. When a user saves their stylesheet, the system will reject it if it includes any of the '<', '>' or '?' characters. I know this restricts some CSS, but that's fine for my purposes. Is there anything else I should check for? How vulnerable does having this option leave me?
View Replies !
CMS Security
I'm here still learning about PHP and MySQL, from alot of different sources right now. One of my goals is to get the simplest type of CMS up and running, If I really needed one I would probably use something like Wordpress, but I'm just interested in learning how they function. I have some basics down.. Looking into regular expressions at the moment. But I was wondering if anyone here had some good links they could share, regarding how to implement techniques for preventing security issues and such. As of the moment I only know of like, query injection but I've heard of other things like session stealing and some others I cannot remember.
View Replies !
Security
I dont know ifthis is the right forum, but I was wondering if you store your mysql database connection details in a php file that you then include() on each page, is that a secure way to goabout it? I thought about this because if someone knows your filename they could just type to get your username and password. Would changing the permissions to this file work or is there a generally much more secure way to do this sort of thing?
View Replies !
Md5() And Security
I have created a form with the help from Houdini and I need some assistance with security. In the application customers will be inputting ssn#'s and checking account#'s. I want this information to be secure when its submitted. The form will be processed to an email address. How would I set up this security to work with my form?
View Replies !
Security Measures!!!
Can I use session_is_registered() to track if the user has already logged in before using any pages on my web?Or is there a much easier and efficient way?
View Replies !
Wht Are Different Security Methods In Php
What are the different USER security methods which we can follow and how to manage them, it will be helpful for all of us. like what i know is to manage session id and to manage the user security along with it only. What would you like to suggest to have a user managed security. I please all to share your views on different methods.
View Replies !
PHP Website Security
We have developed an ads network script for running ads network site. Can someone please guide us on security features that we must implement to prevent hecking and exploits...? We have looked into major security problems commonly known like image uploads checks but I would like to know more on other security checks that are generally over looked.
View Replies !
Is This A Security Issue
While trying to sign on at a website, I got the following PHP code back. I suppose that their apache was mistakenly returning php text instead of executing it....
View Replies !
Security Question
If I have a file in the public html directory (e.g. mypage.php) then can anyone read this file (i.e. read its actual content rather then the interpreted contents it returns when someone opens www.myurl.com/mypage.php)?
View Replies !
Security Through Obscurity
I've got some security through obscurity questions - not directly related to PHP programming per se, but indirectly related, as most php programmers are also server admins of their servers. I want to restrict what my box reports back to the likes of scanners like Nmap & Nessus. I know how to get PHP to not report its version number, and the same with Apache. My question is: a) how to I prevent MySQL from reporting its version number? b) My Apache now reports itself as just "Apache" - can I fake that, and just get it to report as ,say, "MyWebServer" c) Is it possible to get MySQL to report back as say "Oracle"? d) What about PHP - can I fake the reporting of it to say "Tomcat version 2" or something?
View Replies !
Security About POST!
I need to check and make sure users don't "hack" my post values. but im not really sure if i need to check these post values.. The values are coming from a registration form, and are the following... I will obviously check the database for existing users, or exisiting email addresses, but other then that, this code can't really be used to hack me, can it?? PHP Code:
View Replies !
Security Advice On My Cms
I am using the following code to make module system cms. Code: //index.php require_once("mainfile.php"); global $site_path; if (!isset($_GET["file"])) { $file="index"; } else { $file=$_GET["file"];} if (!isset($_GET["mod"])) { $mod="home"; } else { $mod=$_GET["mod"]; } if(ereg("..",$mod) || ereg("..",$file)) { echo "Bad boy"; exit(); } $file ="$site_path/modules/$mod/$file.php"; if (file_exists("$file")) { include($file); } else { die("sorry, File does not exist");} You can see that I am using this concept http://www.mysite.com/ index.php?mod=$modulename&file=$modulefilename I just want to know is there any security hole in the code.How to stop direct access to a file withouth my main index.php file ?let say i have module call"member" and inside i have index.php,myprofile.php etc... and I want to stop direct access to these file(ie.http://www.mysite.com/member/index.php) onlyway, http://www.mysite.com/index.php?mod=member&file=index is allowed in this case.
View Replies !
Security Issues?
I'm new to PHP but have read enough to know to ask the experts before implementing anything. I want to allow non-registered visitors to submit data via a form. That data would not be immediately viewable on the website (I would review and edit before adding the data to the rotation). The visitor would get a 'thank you' page upon submission (no posted data displayed back to them). Is there any danger to my database in allowing just text to be inserted? In other words, are there malicious things that malicious people could do with a text form? I'm not allowing image or file uploads or anything else.
View Replies !
|
TRACKER
