30 Jan

How To Correctly Include A Remote File Securely With PHP 5

Although it has had a nice run, PHP 4 is now being replaced with versions such as PHP 5. This slow transition is become quicker as time continues, and web developers see the benefit of the upgrades and changes. One such change was made in how webmasters use the include function to add a remote file to their websites.

XSS attacks, or what are called cross-site scripting attacks, are attacks in which a hacker injections code from a remote website. This attack is prevalent on PHP 4 platforms, but not so much on PHP 5 platforms due to a change in how configurations are built on default. PHP 4 allows limitless control of absolute file paths, where PHP 5 has cracked down on the absolute paths and instead warrants other methods of achieving file inclusion.

An XSS attack will seek to inject code into a webmaster’s website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become “zombies” that could spam or attack other websites and users at will, all without the webmaster knowing.

XSS attacks function mostly because “allow_url_fopen” is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.

Another method of using the include function in PHP 5 is to simply call the server’s own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, “$_Server['document_root'],” takes the place of the webmaster’s domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.

It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.

In Conclusion:

PHP 5 has brought us many new security features, and the default setting of disallowing absolute paths in include functions is an example of where the industry is going. For more information on the syntax, how to use it, and more words on web development, readers should consult the PHP manual or obtain a PHP 5 book from a local bookstore for more information.



About the Author:

Learn more on php include error and url file access is disabled in the server configuration.

 

 

This entry was posted on Friday, January 30th, 2009 at 3:04 pm and is filed under Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

«
»

Leave a Reply

Theme Provided By: Wordpress Theme - Cash Loan

© 2010 Computer Software Reviews

Designed by CIRTEXHOSTING -- Made free by | CIRTEX CORP | FFMPEG HOSTING | HOSTV - VPS HOSTING |