Includes security

music_man

I would like to use includes with my site but I was reading an article about security which could get your .htaccess file.

index.php?pg=.htaccess

Is there any cause to worry about this?

I would like to keep my php code secure, should I put anything at the top of the page?

Thank a lot.

Roger_Ramjet

That is the best reason not to use GET and pass file names in the url. In and of itself, .htaccess is not viewable or editable by site visitors. Neither should your php files be. But .htaccess can be edited by your scripts in particular situations. If you really want to know about this stuff then read guide to .htaccess .

rehfeld

as far as the include itself goes, simply do NOT blindly include any file passed through the url


include ($_GET['page']); // gigantic security risk
include ($_GET['page'] . '.php'); // not much better, still bad
include ('pages/' . $_GET['page'] . '.php'); // still bad, they could use ?page=../../config




// good, only include files we have specifically allowed

switch ($_GET['page']) {
  case 'about':
    include 'about.php';
    break;
  case 'foo':
    include 'path/to/script.php';
    break;
  case 'bar':
    include 'path/to/bar.html';
    break;
  default:
    include 'hompage.php';
}

music_man

Thanks for your replies!

At the top of the php file I put

<? switch ($_GET['page']) {
case 'header':
include 'header.php';
break;

If I want to include the contents of header.php?