Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hello,
I am doing security audit of the PHP website which has the following first line of code containing file included in the / (root) directory of the website.
The above file contains code to connect to MYSql Database.
When I try to open this file , the blank page is displayed.
I want to know , does including file this way, pose a security risk/ vulnerability? Do any one can change file or insert any malicious file using C99 shells.? If yes, then how ?
If someone can alter the file being included, yes it could easily contain malicious code. Server security has to be fairly poor to allow such a thing typically, although poor scripts can allow it too.
If you're accessing this include via a browser, it should show a blank page, generally.
PHP won't show you the contents unless the code is scripted to do so or PHP wouldn't parse the contents due to a file name issue. Either way, the vulnerability is most often the server, not the software, for this particular "problem."