Include or not include thats the question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Include or not include thats the question

Post by hybris »

Hi I have a file functions.php that contains...functions
One function is Securelogin() that checks if the user is logged in.

My page consist of the following files
Header.php
Menu.php
Footer.php
Index.php
and some other files

Now my code in the Index.php is like the following:
blah blah
include 'functions.php';
blah blah
Securelogin();
Check if user == Logged in { //else bugg off
<div id=container>
include ' Header.php'
include 'Menu.php'
include 'Footer.php'
<div>

So if I want to protect the content in my header, footer, menu .php (which I want) I start the page with something like
Header.php
Securelogin();
check if user == Logged in {
echo 'Hi Im a lame header';
}

So the function in the header works if the header is loaded through index.php (since the index.php include the function.php that contains Securelogin() )
I know I should add include function.php to the header file but my qusetion is:

Now if I just try to copy paste the link directly to header.php I get an error and the Header.php is not displayed. This is ofcourse due to I'm calling a function that is not defined since i didnt include it.

Do I have to include functions.php in the headerfile or is it just as secure without the include since the page "crashes" without the include or is there a way to display the code when a page crashes... The browser says something like the file is not found or may contain an error...

My guess is that on my current server both options are both secure but by crashing the page I'm reliant upon a good serverconfiguration so the best practice is to do the include even in the headerfile since I can export the page to a different server with perhaps other settings and still maintain security.

So what do You guys say?

Also if I use include in index.php and then include the same file in header, menu and footer will it load the file 4 times (using up memory) or will it skip the include if the file is already included before... or should i use include once.. I heard include is faster than include once (not that I guess I will notice any difference in my application but which is the best practice? Include in index and include once in header menu and footer or include once in the index too...?

Thanks for taking time to answer this noob :)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

There's always include_once ...
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Re: Include or not include thats the question

Post by hybris »

^^ Yes I know but that wasn't the answer to the question(s) :)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

I don't see why something like this wouldn't work.

Code: Select all

<?php

include_once 'functions.php';

$logged_in = checkLogin($user);
if ($logged_in === false) {
	header('Location: login.php');
	exit;
}

include_once 'header.php';
etc.
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Re: Include or not include thats the question

Post by hybris »

because I want to protect all files.. that is index.php...header.php.. In your example if you type http://mysite/header.php it would display the header.php. thats why i need the checklogin on both index.php and header.php...

My question was since I include the functions.php within the index.php if I only use the checklogin() function in header.php (without any includes inside header.php) the checklogin() function will only work if I load headerphp through index.php (since index include the function lib). if I try copy the url for header.php it will crash since i then call a function that doesnt exist (since it is not included inside header.php)... in both cases (if I use include functions.php within header.php or not use include) the result is I wont be able to access header php directly.. if i use the include the header.php is "safe" due to my checklogincode and if i dont include i wont be able to access it since the page crash because it call an undefined function...

are both ways equally secure? (I assume the crash option is less secure because it is dependant on correct server config)

Is include and include_once equally fast (I heard include_once is slower).
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

You could define a constant inside functions.php (or anywhere, really) and check inside header.php whether it is defined.

functions.php

Code: Select all

...
define('FUNCTIONS_LOADED', true);
index.php as above

header.php

Code: Select all

<?php defined('FUNCTIONS_LOADED') or die();
or something to that effect.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

hybris wrote:Is include and include_once equally fast (I heard include_once is slower).
Of course it's going to be slower. It has to first check if the file has already been included. The speed difference is negligible, though, and not worth worrying about.
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Re: Include or not include thats the question

Post by hybris »

Ok thanks :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Include or not include thats the question

Post by Christopher »

It would probably make more sense to invert your design and have all the code above in you central template and have it include the content -- instead of what it is doing now. If you did that then everthing would always be included. Then add a security setting/call on the pages that need it.

Also, research Front Controller.
(#10850)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

I agree that would definitely be a much better approach. It is, however, also a considerable amount of work.
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Re: Include or not include thats the question

Post by hybris »

Ok thanks guys,

I did manage to get a (for me quite complex) site up when learning the basics of php - db programming.. Ugly code but it does the job.
Now I wanted to learn more about best practice and OO so I thought a start would be to do a header and footer .php which is like a semi-oo since I can reuse the header and footer easily on every page.

However last night I was thinking about some better way to solve the problem and came up with the best for me would probably be to create a webpage class where i define the header/footer/menu and then use a variable to input the content of that page to the class...

Im sorry Im not that good in expressing myself in english.. but I thought something like this $a = new webpage('Hello world'); and it would display a page with header, footer, menu and in the content field of that page would say hello world... so perhaps I could bake in the security check in the class and also add it as a variable to the class to set if the page is pw protected or not..like $a = new webpage('Hello world', 's'); where s = secure page...

I think this would be the best way for me to go...

BUT I still did not recieve an answer to one of my questions..not that it matters for the developement of my new page but im still curious:
About the include part.. if I include functions.php (that contain securelogin()) in the header.php where I call the function I will not be able to access header.php without beeing logged if i write the url directly in my browser http://my-site/header.php so that works as expected. However if I do not include functions.php inside header.php but still call the function (since in my index.php I do the include so it works as intended if header.php is called from index.php). Anyway even if I do not include the function.php I still cannot (on the webhotel i use atm) access the file header.php directly from my browser since within header.php im calling an unknown function if I dont load header.php from index.php(that contains the include). The result is the browser says the page header.php doesnt exist or contains an error. <- this is also fine since my goal is you should not be able to display header.php by linking to it directly unless you are logged in (have a server session).

So I have 2 cases:
1) I use include functions in header.php -> my loginscript controls if the user can see the page or not.
2) I dont use include in header.php -> noone can access the page directly since the page "crashes" unless it is loaded from index.php.

I understand option 1 is better since then security of the page is controlled by me and my scripts so even though i port the page to a new server with different security settings the page would function as expected. However on the server Im currently using it seems to me (because the server seem to have good security settings) I cannot access the contents of the crashed page... is there any way (for a hacker) to retreive the code in this case that I didnt think about when the page crash or cant I go around the server answer that simply says the page contain an error or does not exist? I assume that if I port to a new server with wrong security settings (like display error reporting=on) the server might not redirect the user to a page that says original page doesn't exist or contain error but instead display the code and says "<code here> hey..on line 3 you are calling a funtion that doesn't exist".

I'm just trying to get a better understanding of websecurity ^^ in general since my longterm goal is to be able to create a website that can contain sensitive business information with a reasonable security (I know its almost impossible to quarantee 100% security.. like NSA will probably still be able to hack the site but the script kiddie that works for our competitors will not).

Thank You for taking time to educate me :)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Include or not include thats the question

Post by Celauran »

hybris wrote:BUT I still did not recieve an answer to one of my questions..not that it matters for the developement of my new page but im still curious:
About the include part.. if I include functions.php (that contain securelogin()) in the header.php where I call the function I will not be able to access header.php without beeing logged if i write the url directly in my browser http://my-site/header.php so that works as expected.
I already gave you a workaround for that. Neither approach is foolproof or 'best'; if you don't want something to be accessible, don't put it in the document root.

Your OO idea is a much better approach and will make the above point moot anyhow. I think you will find, however, that a simple webpage class is insufficient. I'd recommend downloading a framework and taking a look at how their code is structured. This will both provide you a platform on which to clean up your existing site as well as a great resource for learning.
hybris
Forum Contributor
Posts: 172
Joined: Wed Sep 25, 2013 4:09 am

Re: Include or not include thats the question

Post by hybris »

Ok,

thanks guys for taking time and answer me. I really appreciate it.
Post Reply