On 3/24/06, Chris Shiflett <shiflett@xxxxxxx> wrote: > Merlin wrote: > > I am wondering if I am opening a potential security risk by > > including files on remote servers. > > Yes. > > > I am doing an include ('http:/www.server.com/file.html') inside > > a php script of mine to seperate content from function. Content > > is produced by a friend of mine and I do not want to grant > > access to my server to him. > > You already are. You're basically instructing PHP to evaluate file.html > as PHP code, so your friend can execute any PHP code on your server. > > If you only want to display file.html, use readfile(). This reduces your > risk from remote code injection to cross-site scripting (XSS). > > > If including <? phpinfo(); ?> into his file, I do get the info > > of php and I believe it is the phpinfo of my server. > > If he's executing phpinfo() on his server, it's going to describe his > server. If he's outputting: > > <?php phpinfo(); ?> > > Then you're going to execute that when you include it. > > > That lets me believe that he could write now any php code which > > would be ececuted on my server. Is that right? And if yes, what > > can I do against it? > > Use readfile(), but remember that this allows him to inject anything he > likes into the content you send users, so your passing your risk onto > your users. > > Chris > If you don't trust him enough to give him access to your server, why are you letting him dynamically include code? -- Anthony Ettinger Signature: http://chovy.dyndns.org/hcard.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php