Is require "safer" than include?

Jason_Batten

Generally speaking is it better to use require than include for security? I know they are exactly the same except for how they handle when they fail. Is it better to stop the script rather than letting it continue with an error?

Or is it best to use something like this script I just thought of...

ini_set('display_errors', 0);

if(!include('includes/top.php'))
{
	echo 'Sorry the page contains errors, contact support';
	die();
}

I suppose it does depend on what exactly you are 'including' but if you do have errors displayed, isn't that sort of a security risk? 😕

I think I will use the script I just thought of writing this post though, its pretty good 😃 HAR! 🆒

mtmosier

if you do have errors displayed, isn't that sort of a security risk?

Yes. You should always turn off display_errors in production. You can leave it on for development and testing of course.

I use require for anything security related and include otherwise.

Weedpacket

In many cases, even if you include processing stops with a fatal error; if, for example, the missing file contained a function or class definition - as soon as try and use the function or class: -zot-. So you might as well use require() for those (better, require_once() for added safety), and die as soon as possible.

include() can be used for things you can live without, especially if you can recover gracefully in some way:
code=php or attempt_salvage();[/code]
That won't work with require().