...

View Full Version : Make a php only includable from localfiles



dsylebee
01-11-2010, 10:46 PM
Hi i'd like to know if it's possible to make a php file includable only if the file is local example check if a certain file is the same folder if its not well don't do certain things.

ninnypants
01-11-2010, 11:01 PM
You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this


<?php
$path = $_GET['path'];
include $path.'update_account.php';
?>

now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

This is a very general but the idea is that it has the potential cause some major security holes

dsylebee
01-11-2010, 11:27 PM
You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this


<?php
$path = $_GET['path'];
include $path.'update_account.php';
?>

now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

This is a very general but the idea is that it has the potential cause some major security holes


then what would be a good way to fix this?

I use sessions, though.. im more scared about sql injections that the file code it self.

ninnypants
01-12-2010, 12:15 AM
Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes

dsylebee
01-12-2010, 12:26 AM
Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes

well let's say someone is trying to connect to my database, knowing I have a inlude file that does the connection, id like it to only include if it's from the website it self.

ninnypants
01-12-2010, 12:59 AM
.php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.

MattF
01-12-2010, 01:07 AM
A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

Parent file:



define('check_loaded', 1);


then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:



if (!defined('check_loaded'))
{
exit();
}


If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?

dsylebee
01-12-2010, 01:12 AM
A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

Parent file:



define('check_loaded', 1);


then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:



if (!defined('check_loaded'))
{
exit();
}


If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?

yes thank you :-)

dsylebee
01-12-2010, 01:13 AM
.php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.

yes though if they know the variable name they can always output it.

ninnypants
01-12-2010, 05:59 AM
That's not how it works the file finishes processing before it ever loads into their script. They have no access to the varibles used in the processing. If that weren't the case there would be no reason to use the language since all of your information could be stolen easily.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum