Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    May 2012
    Posts
    35
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Securing Include files

    What's the best and most secure way to include/require files?

    I'm currently using the following method:

    For my include files, I have the following at the top:
    PHP Code:
    defined('_VALID_INCLUDE') or die('Direct access not allowed.'); 
    And for the files where I include that file, I have:
    PHP Code:
    define('_VALID_INCLUDE'TRUE);
    require(
    'connect.php'); 
    Is this a good and secure method, or is there a better way to do this?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    This doesn't exactly help with security. Assuming that the includes generate no processing of their own directly, attaching directly to them won't cause a problem. On the other hand, if you want to ensure that an include is reliant on the script including it (it does actual processing based on reliant data), then it may be a good idea to dictate a constant to it to ensure its been included and not directly accessed.
    So from an error control perspective, it may be a good idea to do this. I've done OO programming for so long now that I never have main processing running in an included class. Its always constructed and handled from another method or the primary script.

  • #3
    New Coder
    Join Date
    May 2012
    Posts
    35
    Thanks
    4
    Thanked 0 Times in 0 Posts
    So what I've been doing as shown above, makes no difference when it comes to security?

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Nope. Security would indicate some type of access control. All a defined constant will do here is determine if it can run by itself or if it has to be run in the scope of something that has defined the constant. So for this I'd define it more as an error control level instead.

    Security in the scope of an include would be more along the lines of accepting a variable include from input which is verified against a list of valid ones. So if you accept a page from a user, you have to verify that page exists and is one you will allow access to, otherwise nothing stops input from providing any filesystem file which the apache user has access to and that file will be included.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •