From: there...no..there..... Insane since: May 2001
posted 04-13-2006 23:53
as far as I know, as long as that path is outside of the web root, then that is the way to go.
I have a folder outside of the webroot called "includes", in this folder there are php files that handle connectivity to MySQL servers. Since there is login info in these files, I keep them outside of the web root and then use a php include like you do above to access them.
You can get the same effect if you allow someone to pass ../ in to an include, or if you use eval() on variables you can in worst case allow ppl to run exec() directly in the shell...
To answer you Q then, if you have register_globals Off and use full paths in your includes that example should be safe as far as I know. Very inflexible though if you don't use $_SERVER variables to build the path, then, again, with register globals on ppl can override those values and pass their own into the system...
Get to know your server setup and research exactly what a possible intruder can do on that setup.
You will be scared... I know I was when I saw examples actually performed on a site. There are loopholes practically everywhere and register globals in combination with eval/include is one large enough for a Boeing 747 to fly trough...
{cell 260}{Blog}
-{"Theories without facts are just religions...?}-
So what would the syntax be to use $_SERVER variables to locate an include directory above the web root?
_SERVER["DOCUMENT_ROOT"] and _ENV["DOCUMENT_ROOT"] both point to the public root. How do you navigate up the file system from there in a less inflexible way?
From: 100101010011 <-- right about here Insane since: Mar 2000
posted 04-15-2006 00:50
I think this is a bit confusing.
DMS means using a variable with the ..\ syntax, Steve is talking about a hardcoded string which is fine.
Most hosted environments will have basedir restrictions in effect which means that things like DMS hole will be blocked at a certain level.
That being said if I'm doing something where I think someone may be able to inject something into an include path then you can also set the basedir yourself for safety sake.
ini_set('open_basedir', '/path/to/script');
In response to the orginal question the answer is no this isn't a security risk and is infact the design. However if you are hardcoding server specific paths you may want to look at the implementation a bit because this generally is a bad habit because the code won't port to another machine easily. So instead try to use either
1. Relative paths
2. Setting all hardcoded file paths in a single config file.
Excellent thanks! I was worried that if someone with "hacker skills" knew the file path they could do some damage. I really appreciate the feedback. Peace.
quote:Steve is talking about a hardcoded string which is fine
I was? I didn't mean to. I though both "../../../../file.php" and "/home/myusername/path/back/to/shared/functions.php" were pretty hard-coded server-specific. My sense of what DmS was referring to was some way of setting a more flexible server-independent path using a $_SERVER variable. I was hoping someone would spell out for me how to address a file in a directory that is "above" the web root directory based around a more flexible $_SERVER variable notation.
Maybe I'm not asking the right question because I don't know the right question to ask.
"_SERVER["DOCUMENT_ROOT"]" gets me to my public html directory. If I were to wish to put an "includes" directory a level above that, how do I address a file in that directory in a flexible, portable way? So far something along the lines of "/home/myusername/path/back/..." is the best I've been able to come up with, but that doesn't use a $_SERVER variable and if I read DmS's post right there might be a better way to do this.
I've read bunches of tutorials and such that recommend putting includes with sensitive content out of the web root, but none that explicitly describe how to address a file in that directory in a flexible way! The "../../../../file.php" approach depends on the location in the file hierarchy the script that is calling the include is located. It doesn't seem like "/home/myusername/includes/doc.php" is the best (meaning most flexible) way, because I have one site on a server that uses /home2 instead of /home!
Test it out though, i'm not sure if the php configuration can change this. I normally just check all of the $_SERVER values to see whats going on, do this from a few directories so you can confirm it is what you want:
From this you will see which one gives you the base directory and make sure it stays the same when you place this file in subdirectories? Remember some of them will give you the relative server path to the current script, meaning it will change with each directory.
For myself I have always used simply require_once('../includes'), but it depends what your doing and what the context is, i normally have one for includes and one for files, then i use a php script for users to download the file (mainly so i can handle registered downloads etc).
If the file that is including this is already at the root level, then simply "../includes/content.php" works fine, but what do I use to make it find that directory and file from anywhere in the web root hierarchy?
But the period didn't fix it.
One of the sites I have access to is miltonfame.org
I placed a directory named "includes" above the public www directory, with a file "content.php"
in the public www directory I placed a test document that uses the syntax stated above. I get the following:
code:
Warning: main(/home/webpco/miltonfame.org../includes/content.php): failed to open stream:
No such file or directory in /home/.oakieoven/webpco/miltonfame.org/include_test.php
You might also need a '/' before the ../ if you actually do want to go back a directory.
Tell us the directory to your webroot, i am assuming its miltonfame.org/www or miltonfame.org/publichtml
if this is the case you want the includes directory at miltonfame.org/includes which is still below the webroot, if so do as redroy said, leave out the ../ BUT make sure you leave the '/' in before includes otherwise you are trying to get to miltonfame.orgincludes/ instead of miltonfame.org/includes/
The errors should be enough to tell you whats going wrong, but if not set up a variable and put the whole thing you are including in the variable and print it out so you can see exactly what you are trying to include. Let us know what that is if you are still having problems.
Thanks. That makes sense. I can get to it with an absolute path. I guess I went off on a wild goose chase following a tidbit I picked up from DmS's post near the beginning of this thread that seemed to suggest using some path based around a $_SERVER variable would be more flexible than an absolute path.
include ( str_replace('htdocs', 'includes', $_SERVER['DOCUMENT_ROOT']) . '/file.php' );
could also work if what you need is an absolute path.
If your DOCUMENT_ROOT was "/home/account/htdocs" this would change it to "/home/account/includes" and append "/file.php" to build the path to the include file.
Don't know if this really helps to simplify anything more than a bit, but at least you won't have to have the "home/account../" path right in the code this way.