Merlin wrote:
I am wondering if I am opening a potential security risk by
including files on remote servers.
Yes.
I am doing an include ('http:/www.server.com/file.html') inside
a php script of mine to seperate content from function. Content
is produced by a friend of mine and I do not want to grant
access to my server to him.
You already are. You're basically instructing PHP to evaluate file.html
as PHP code, so your friend can execute any PHP code on your server.
If you only want to display file.html, use readfile(). This reduces your
risk from remote code injection to cross-site scripting (XSS).
If including <? phpinfo(); ?> into his file, I do get the info
of php and I believe it is the phpinfo of my server.
If he's executing phpinfo() on his server, it's going to describe his
server. If he's outputting:
<?php phpinfo(); ?>
Then you're going to execute that when you include it.
That lets me believe that he could write now any php code which
would be ececuted on my server. Is that right? And if yes, what
can I do against it?
Use readfile(), but remember that this allows him to inject anything he
likes into the content you send users, so your passing your risk onto
your users.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
