On Tue, June 13, 2006 9:17 pm, Dave M G wrote: > Richard Lynch wrote: >> The problem with making it dynamic, is that you've just made it >> AWFULLY easy for some Bad Guy to inject their own PHP file into your >> system... >> >> Think about that for awhile. > I have thought about it, and I can only see it as possible if the > person > already has the ability to write PHP scripts into my directory. If > they > can do that, then the damage is already done and they don't need to > bother with slipping the name of their file into my include() > functions. > They could just write a script and then execute it from the browser > directly. > > If there is some other way for them to exploit a dynamic include() > function, then please let me know. Part of the whole register_globals debacle is based upon the problem that dynamic includes, if not properly coded 100% of the time, can have the variable over-written by external data. Let us also consider, for the moment, that maybe someday you wrap this thing up with some kind of nifty database solution to track all those include files -- now the Bad Guy only has to break into your database to get the files they want loaded. Also consider that if allow_url_fopen_wrappers thingie is "on" then they can include() the source code from THEIR OWN SERVER, not needing to get it onto your server in the first place. I'm not saying you can't take precautions and make this reasonably secure today. And you maybe even have a process in-place to audit the code and application next month/year/decade to be sure the "feature" doesn't get "improved" to suddenly not be secure anymore, by some Junior Developer who gets thrown on the project after your project gets really big and important... I'm saying think long and hard about this, and be sure you've considered all the angles (the above is probably only a subset) before you go down what is an inherently dangerous path. So far, our conversation could be likened to: You: Should I jump out of an airplane? Me; I dunno. It's pretty dangerous if you don't know what you're doing. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
