Archive for November, 2007

PHP: Secure Your Included Files

Tuesday, November 13th, 2007

If you’re anything like me, you heavily rely on splitting things up. Even the simplest application needs to be separated into individual files for functions, database calls and user interface. The files are usually named and placed so that they are easily accessible for the index file and inconvenient to find for the potential attacker.

If the attacker where to reveal their path it would not necessarily pose a serious threat to the application’s security, assuming executing the individual file on its own does not give away any useful debugging information. To avoid helping people exploit your applications you may consider to turn off the standard PHP behaviour of throwing out all possible information as soon as something goes wrong: Either set “error_reporting†to “0†in php.ini or through your .htaccess-file.

Additionally you might consider isolating your files from even executing on their own. The easy way to do this is to:

define a function in the main file (index.php) only allow execution of additional files if the defined function is able to execute

index.php

<?php function LoadedCorrectly() { return true; } ?>

database.php

<?php LoadedCorrectly() or die(); ?>

Posted in Writing | No Comments »

You are viewing a mobilized version of this site...
View original page here

Mobilized by Mowser Mowser