0

A friend told me that I shouldn't use PHP include for, let's say templating header and footer on the page, he said it's a security risk and that I should use a template engine like Twig. Does it really pose a security concern? To me it looks almost like the same thing.

Include in PHP:

<? include("header.php"); ?>

And Include using Twig:

{% include 'header.html' %}

JavaScript is my main language and I got into PHP fairly recently, and I'm loving it so far.
If someone could should some light on this dilemma I'd be most grateful!

Community
  • 1
  • 1
Mirza Sisic
  • 2,401
  • 4
  • 24
  • 38
  • 1
    Don't see any problem there. There could be security issues on Twig, too. Just for including a html-file without needing any other stuff of Twig, I would never add something "heavy" like Twig to my project. – iquellis Oct 27 '17 at 15:25
  • 3
    If someone else has access to `header.php`, then you'll end up running their code when you include the file, which could potentially do a lot more than a Twig include. That said, if someone has access to your PHP code, you've probably got bigger problems. – iainn Oct 27 '17 at 15:26
  • 1
    This is not a duplicate @Machavity since he's asking a question regarding including twig... – Alvin Bunk Oct 27 '17 at 16:45
  • Your question is very opinion-based after the title edit. – TylerH Oct 27 '17 at 17:21
  • 2
    @MirzaSisic Just to answer this, template engines (Twig, Smarty, etc) simply offer you a scope reduction by launching everything inside a function. It's not really more "secure", because it's not inherently insecure in the first place. If you're living dangerously by using user input to include files or execute code it just makes it slightly less vulnerable to use a template engine. Everything the dupe says about `include` security still applies here. – Machavity Oct 27 '17 at 17:32
  • I appreciate the clarification, thanks man. – Mirza Sisic Oct 27 '17 at 17:49

0 Answers0