Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Oct 2008
    Posts
    102
    Thanks
    28
    Thanked 4 Times in 4 Posts

    Make a php only includable from localfiles

    Hi i'd like to know if it's possible to make a php file includable only if the file is local example check if a certain file is the same folder if its not well don't do certain things.

  • #2
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this
    PHP Code:
    <?php
    $path 
    $_GET['path'];
    include 
    $path.'update_account.php';
    ?>
    now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

    This is a very general but the idea is that it has the potential cause some major security holes

  • #3
    Regular Coder
    Join Date
    Oct 2008
    Posts
    102
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by ninnypants View Post
    You should already know where all of your included files are coming from. If you use variable file includes then you're creating a hole in your security. If you file was set up like this
    PHP Code:
    <?php
    $path 
    $_GET['path'];
    include 
    $path.'update_account.php';
    ?>
    now say that your url that contains the expected path for the current user is yoursite.com?path=/users/account/ but a malicious user sees this and changes it to yoursite.com?path=/admin/account/ the user would have access to update the admin account

    This is a very general but the idea is that it has the potential cause some major security holes

    then what would be a good way to fix this?

    I use sessions, though.. im more scared about sql injections that the file code it self.
    Last edited by dsylebee; 01-12-2010 at 12:29 AM. Reason: added lines

  • #4
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes

  • #5
    Regular Coder
    Join Date
    Oct 2008
    Posts
    102
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by ninnypants View Post
    Sessions can be spoofed, but what is the exact issue that you are trying to solve with the includes
    well let's say someone is trying to connect to my database, knowing I have a inlude file that does the connection, id like it to only include if it's from the website it self.

  • #6
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    .php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.

  • #7
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

    Parent file:

    Code:
    define('check_loaded', 1);
    then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:

    Code:
    if (!defined('check_loaded'))
    {
        exit();
    }
    If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?
    Last edited by MattF; 01-12-2010 at 02:10 AM.

  • Users who have thanked MattF for this post:

    dsylebee (01-12-2010)

  • #8
    Regular Coder
    Join Date
    Oct 2008
    Posts
    102
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by MattF View Post
    A common method for making certain a file can only be run by a local script is to do a define a value in the parent script and have the included/required file check as to whether that value is defined. i.e:

    Parent file:

    Code:
    define('check_loaded', 1);
    then in the include/require file, at the very top of the file, just after the opening php tag, you would insert the following:

    Code:
    if (!defined('check_loaded'))
    {
        exit();
    }
    If the child script is called directly, it will exit immediately. I'm assuming that is what you were referring to?
    yes thank you :-)

  • #9
    Regular Coder
    Join Date
    Oct 2008
    Posts
    102
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by ninnypants View Post
    .php files are parsed on your server so the person trying to include it would not be able to use any of your code the output of that code would just be added to their php file.
    yes though if they know the variable name they can always output it.

  • #10
    Regular Coder ninnypants's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    504
    Thanks
    10
    Thanked 47 Times in 47 Posts
    That's not how it works the file finishes processing before it ever loads into their script. They have no access to the varibles used in the processing. If that weren't the case there would be no reason to use the language since all of your information could be stolen easily.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •