Using $_GET vars directly in include

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Everah wrote:Thanks guys. On a side note, does anyone know what the default php.ini setting for log_errors is? I think that for the project I am working it would be helpful to have alook at the PHP generated errors. I have never really looked into the PHP error logs so I am not sure if they are on by default and, if they are on, where the log resides.
Manual says it's off by default, but it is PHP_INI_ALL :)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Thanks feyd. The new hardware should be in about two weeks and the software setup will take place soon after. I want to make sure that all the hobbyists that may be coding on the development servers see the crap that is getting put into production at the moment. :twisted:
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Using $_GET vars directly in include

Post by shiflett »

Everah wrote:What are the potential implications of this code, as you see it here?
As it is written, an attacker can execute any PHP script on the server. On certain platforms, an attacker can also expose any arbitrary file on the server. The only exceptions to these two statements are files that cannot be read by the web server.

Hope that helps.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Thanks for all the input. Fortunately the company was very quick to adopt my PHP coding standards, which specifically state not to accept user input without some form of validation AND to not use infiltered $_GET requests for includes.
eremini
Forum Newbie
Posts: 2
Joined: Mon Oct 24, 2005 10:26 am

Post by eremini »

I think, some of the problems outlined can be prevented by a simple file_exists check first
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Yes, they would, but I am of the mindset that you should never take user input and use it directly without some form of validation first.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Everah 1, Bumbling Developers 0. ;)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

w00t! I'm scoring...
Post Reply