Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have always heard that a programmer should never include a remote file and after searching the topic I have found vulnerabilities when a variable is used to determine the URI being used in the include.
Sorry if this sounds like a basic question, but I have always been told never to include remote files, but I have never understood what vulnerabilities might exist if the URI is hard coded. Thanks!
Sorry for not making that clear. If I managed both websites and had full control over http://www.domain.com/banner.php - but the websites are on separate servers ... would there be a security risk? Is there any other way that a person could inject something into an include request between two servers?
I guess it depends on what you have on the remote file. If the remote file fetches some data from external source than again, you are at risk just as if it wasn't your file. But if that file is managed by you and doesn't use any user input then I guess it'd be secure.
P.S "User input" in this case refer to anything that is coming from the outside world. For example, some sort of code for a banner from one of your advertisers.
If you control both sites it should be ok ... but the find ways to hack just about anything. If you could find a way to do it as a data feed rather than executing remode code -- that would be preferable. Why do you need that file parsed?
I have a dynamic navigation on one website that changes each week and I am setting up a sub-domain of that website on another server to set-up a blog. I need to pull in the navigation HTML on a regular basis so the navigation is up-to-date and thought about using the readfile function to pull the HTML code. I was just curious what vulnerabilities there were when using an include function as this would be an easier process.
Thanks for the insight - let me know if you have any other thoughts about this.
Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
arborint wrote:Every vector you open up to remote code execution is a potential exploit. You may have it locked down now, but next year you change something and you have unknowingly opened a door into your server. I would use some kind of data exchange web service if possible.
+1
You shouldn't need to remotely include a file. Since you control both servers, just copy it, you lazy person
You could set up a cron job as well. Pulling it every time remotely may put strain on both servers or at least make the including page unresponsive.
Thank you arborint and everyone else - those are all valid points.
Mordred, I thought about this last night. My thought was to set up a cron that would initiate a script creating the latest version of the navigation and then FTP (or I suppose SFTP) the HTML file to the new server. Did you have an idea of a better way to do this?