Page 1 of 1

Include File Security

Posted: Mon Nov 06, 2006 3:52 am
by amir
I'd like to include an external PHP file from a directory called "ads", using:

Code: Select all

<?php
include("./ads/file.php")
?>
1. In terms of security is there anything I should keep in mind when using the include statement?

2. Is there anything I can add to this piece of code to make it more secure?

3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?

Thanks!

Re: Include File Security

Posted: Mon Nov 06, 2006 5:06 am
by Chris Corbyn
amir wrote:I'd like to include an external PHP file from a directory called "ads", using:

Code: Select all

<?php
include("./ads/file.php")
?>
1. In terms of security is there anything I should keep in mind when using the include statement?
Not really no. It's a hard-coded include. If you were passing a variable based upon user input then yes you'd need to sanitize exactly what you're including.
2. Is there anything I can add to this piece of code to make it more secure?
Place "exit()" on the line above it*.
3. Also, since I used " ./ " in the path, to indicate that the sub directory is in the current direcory, will it still search in the includes directory first? Is there a better way to do this?
I haven't tested it but the logical thing for PHP to do would be to try all directories where the script is run from before using the include path.

* This is a joke of course. That small piece of code by itself doesn't have any security issues.