Include secure file from non-secure page - bad or good idea?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jlietz
Forum Newbie
Posts: 1
Joined: Tue Jun 12, 2007 10:44 am

Include secure file from non-secure page - bad or good idea?

Post by jlietz »

Hi,

I have a file containing various database functions that up until now has only been used (accessed) on the secure (https) part of my site. Now, I need to access it from the regular http part of the site. However, when I try to include the file in the form:

include ("https://www.mysite.com/dbfile.php")

I get the "failed to open stream" warning and then a fatal error. I am assuming that it has something to do with the include_path settings in httpd.include. However, my question is whether it is a good idea to include a secure file from a non-secure page in the first place. Is it?

Thanks.
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Post by kaszu »

1) If that server gets hacked, then your server will be in danger too.
2) How much time does this 'include' HTTP request take? I think whatever it takes, it takes too much.
3) What if that other server fails? Does that mean that your website will be down too?
4) If someone else get this database function script, then in case of a vulnerability your website could be in danger.

Anyway, I'm not an expert, but i think this is what you should consider.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

If it's a local file, you would include it with its path on the hard disk:

Code: Select all

include("/path/to/dbfile.php");
Post Reply