Using variables from an include file

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Using variables from an include file

Post by SimonJ621 »

Hey all,

I have a quick question about calling variables from an include file. The purpose of the file is also for secuirty, so if you know of a secirty issue, that information would be more than welcomed also.

I have my database information stored in a file called mysql.dbinfo.inc. This file is stored outside of the folder which has my php scripts in it, so I call it with something like: include_once("../safe/mysql.dbinfo.inc");

Here is what the file looks like:

Code: Select all

<?php
	$db_user = 'xxxx';
	$db_pass = 'xxxx';
	$db_host = 'xxxx';
	$db_base = 'xxxx';
?>
I have no problems calling the variables once the file is included. And the script runs fine. However, I do get a warning when Zend analyzes the code. The warning says:

Global variable $db_X was used before it was defined on line X

Two things, is the variable being global a security issue and is there anyway to not get the warning?

Thanks,

Jason
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

Check isset() before using the variable might make the warning go away. Otherwise I'd need to see more code to evaluate it.
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Post by SimonJ621 »

neophyte wrote:Check isset() before using the variable might make the warning go away. Otherwise I'd need to see more code to evaluate it.
The above code would be a file named mysql.dbinfo.inc and stored in the folder safe. The application files are in a different folder. Here is a sample of code that would draw the warnings.

Code: Select all

<?php
     include_once("../safe/mysql.dbinfo.inc");

     print "$db_user<br />$db_pass<br />$db_host<br />$db_base";
That's just a sample of something that would draw the warning. Basically, if I call any variable from another file it says that. However, while I'm a little bit annoyed by the warning, I'm more concerned if doing something like this is a security risk. Now, I'm not talking about printing my password info and stuff, I mean using those variables to connect to a database.

Or, another way to put it, what's the best way to store variables in another file to be used in applications?

Thanks,

Jason
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

A couple things strike me in this post:

1) You should not keep your db connection details below root (meaning mysite.com/somefolder/dbdetails.php), you should keep them above (server path /etc/var/ if your web site is in /etc/var/public_html/). Then include them from there. Hackers have a harder time getting to you files that way and it is not at all as easy to get to as typing in the URL http://www.yoursite.com/somefolder/dbdetails.php.

2) Put something into your db details page that will prevent someone from running the page or including the page. I usually define a constant in each page, then check that constant in the included pages. If the constant is not set, the entire script dies because it means someone is trying to hack the page.

3) There error you are getting may have something to do with when the vars are included OR when they are set. Take a look at the logical progression of your code to make sure everything is kosher.
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Post by SimonJ621 »

Ok, lets see how I do...

1) I think I have already done this. I'm using a localhost and my documents are in Apache2/httdocs and my includes are in Apache2/safe.

2) Hmm... trying to grasp this one... but not quite getting it. You include a file, then compare a constant in the included file with a constant on the page, and if they don't match you don't run the script? If that's correct, how does that protect the included file?

3) The above example is pretty basic and still produces the warning. The page runs fine, so I don't even know if it's an issue. The warning is from Zend Studio's code examiner.

Ok, so I didn't do very well :(.

Jason
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

SimonJ621 wrote:Ok, lets see how I do...

1) I think I have already done this. I'm using a localhost and my documents are in Apache2/httdocs and my includes are in Apache2/safe.

2) Hmm... trying to grasp this one... but not quite getting it. You include a file, then compare a constant in the included file with a constant on the page, and if they don't match you don't run the script? If that's correct, how does that protect the included file?

3) The above example is pretty basic and still produces the warning. The page runs fine, so I don't even know if it's an issue. The warning is from Zend Studio's code examiner.
1) Good job.
2) Look at this...
callingpage.php

Code: Select all

<?php
define('INCS_AUTH', true);

include 'path/to/includes/include.php';
?>
include.php

Code: Select all

<?php
if (!defined('INCS_AUTH'))
{
    die('Time to crap out since you didn\'t include me properly!');
}
?>
3. Not sure why ZS would be giving you that. Have you tried running the code on your server with display_errors on and error_reporting set to E_ALL (or E_STRICT in PHP5)? Also, what version of PHP is ZS set use in the preferences? Is it the same as is on your server?
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Post by SimonJ621 »

Ok, I understand the number two now. I originally thought you meant that the if statement was in the page, not the include file. I didn't know an included file could share information in both directions.

As for the Zend, it's set for PHP5 and that's the version I'm using. I'll play around with it a little more and try to figure out. The message it gives about the warning is:
Category: Security
A global variable is used before it is defined. You may see this warning if you rely on register_globals or variables defined in external include files, in which you may choose to ignore it. However, note that this may cause the code to bahave in unpredictable ways when run in certain context.

Example:
// a was never initialized
if ($a>0) {
...
}
Ok, time to get some other things done. I'll be back to try and resolve this thread tomorrow. Thanks for all your help.

Jason
klarinetking
Forum Commoner
Posts: 59
Joined: Mon Jul 24, 2006 9:43 am

Post by klarinetking »

Hi,

Remember that an included file is basically copying the text from the included file and pasting it where the call to include is, therefore any variables already set are ready for use in the include file.

If you want to get rid of the Zend Studio error, before you include your file, do something like:

Code: Select all

$a = $b ... = $n = '';
adding in all the variables that you are including. That sets all of them to nothing, and they'll be overwritten when you include your new file, and it gets rid of the error. It doesn't protect you from anything however ;)

klarinetking
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Post by SimonJ621 »

Wonderful. Thank you for all of the help. Now my files are not only safe, but I understand quite a bit more when dealing with includes :)

Jason
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

SimonJ621 wrote:Wonderful. Thank you for all of the help. Now my files are not only safe, but I understand quite a bit more when dealing with includes :)

Jason
Piece of advice. Zend analyzer is good but not that good. Don't rely on it 100%.
The warning you were getting is just buggy Zend analyzer implementation....and not your fault at all.
User avatar
SimonJ621
Forum Commoner
Posts: 36
Joined: Thu Jul 27, 2006 5:07 am
Location: Ohio

Post by SimonJ621 »

jmut wrote: Piece of advice. Zend analyzer is good but not that good. Don't rely on it 100%.
The warning you were getting is just buggy Zend analyzer implementation....and not your fault at all.
I figured it wasn't anything to worry about, but I wasn't sure and didn't want a security risk based on me being unsure. But thanks to phpdn, I can get other, more knowledgable opinions :)

Jason
Post Reply