Safe includes?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 11:24 AM +0000 11/20/06, Stut wrote:

Ford, Mike wrote:
My preference would be the include, but all of the options you've been given would do the job one way or another.
Using include for this is potentially dangerous since it will execute any PHP code contained within the file. Only use include if you are absolutely sure you trust the content of the files you are displaying. 

To all:
I understand that an include file will be executed "as-is", but how can someone change one of my includes? On my virtual host, I have to jump through ftp hoops (i.e., change permissions) to write a file and that's me knowing the logon and password. How does someone hack through that?
And if they could hack through that, then nothing is secure including includes, right? If the evil doer has gone that far, then why not just run the evil code and be done with it, why screw around with includes, which may, or may not, be executed? 

What am I not getting here?

Also, aren't there any safe methods for using includes?
For example, one could define a variable in an include and then check if it's defined in the calling code -- if it's defined then run, if not then exit. That is not fool-proof -- but it should stop someone from completely replacing your include code with theirs.
I had a similar problem with a shareware Macintosh application I wrote where I wanted the resources to remain "intact" -- I didn't want someone changing the resource so that information about payments would be sent to them instead of me. So, I recorded the exact size of the resources and the program would only run IF the resources were exactly that size.
As such, one could check the size of the include and check if it had been altered. If the size matches the excepted size, then run, if not then exit. This would stop include-injections for all except those that are the same size. 

Any comments, suggestions, explanations?

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux