Re: [PHP] PHP include security
On 18 April 2010 21:43, Micky Hulse mickyhulse.li...@gmail.com wrote: On Sun, Apr 18, 2010 at 10:23 AM, Michiel Sikma mich...@thingmajig.org wrote: I would prefer to use include() since it runs the code in the same context, ...snip... with your data rather than printing it right away. Thanks for the reply Michiel, I really appreciate it. :) For some benchmarks on the different types of inclusion functions/language constructs, this page has some good info: http://www.raditha.com/wiki/Readfile_vs_include The results are interesting. One thing to keep in mind is that this one doesn't take eval() vs regular include execution time into account, in case you were still considering using it. According to this page, it's many times slower: http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval-in-php/ Michiel
Re: [PHP] PHP include security
Hi Michiel! One thing to keep in mind is that this one doesn't take eval() vs regular include execution time into account, in case you were still considering using it. According to this page, it's many times I was still considering it... I mean, I am still exploring all my options for the sake of the learning/coding experience. slower: http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval-in-php/ Oh! Nice! [[ The speed of eval Besides security concerns eval also has the problem of being incredibly slow. In my testing on PHP 4.3.10 its 10 times slower then normal code and 28 times slower on PHP 5.1 beta1. This means if you have to use eval, you should avoid using it inline in any performance sensitive code. Any easy way to cancel the performance penality is to create a function in eval and just call that, now an extra function call does have some performance overhead but its pretty small and depending on the design can be non-existant since you would be calling some function anyway. ]] Interesting. Great read. Thanks for linkage. [ot] The article also mentions variable functions... I have never used those before. They look very useful, esp. for a function callback. Learn something new every day! :) [/ot] Thanks again for you help Michiel! I really appreciate it. :) Have a great day! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP include security
On 18 April 2010 02:08, Micky Hulse mickyhulse.li...@gmail.com wrote: Hi Michiel! Thanks for the help, I really appreciate it. :) It depends. What's exactly do you want to prevent? It doesn't seem like a ...snip... include, say, additional HTML content, use file_get_contents() instead. Very good points. My goal was to write a plugin that would allow me to include some static HTML template file and get the ?php include...? tags out of my CMS template. With that said, I think the only people using this code will be the developers of the templates, and not your standard user. I opted to use output buffering and readfile() for the speed, and include() would be an option if developers want to execute the code in the included file. Would file_get_contents() be faster than readfile and output buffering? Would using file_get_conents() and eval() be faster than using include() and output buffering? I would prefer to use include() since it runs the code in the same context, and using both file_get_contents() and eval() is a bit of a detour. eval() also tends to be a lot slower than included code (though I'm not exactly sure how slow). I'm also not entirely sure whether file_get_contents() is slower than readfile(), but file_get_contents() is useful if you want to do something with your data rather than printing it right away. Michiel
Re: [PHP] PHP include security
On Sun, Apr 18, 2010 at 10:23 AM, Michiel Sikma mich...@thingmajig.org wrote: I would prefer to use include() since it runs the code in the same context, ...snip... with your data rather than printing it right away. Thanks for the reply Michiel, I really appreciate it. :) For some benchmarks on the different types of inclusion functions/language constructs, this page has some good info: http://www.raditha.com/wiki/Readfile_vs_include The results are interesting. Thanks again! Have an excellent day. Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP include security
On 16 April 2010 06:57, Micky Hulse mickyhulse.li...@gmail.com wrote: Hi, -snip- The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to clean and secure the include string? Maybe something along these lines (untested): $invalidChars=array(.,\\,\,;); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,,$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Hi, It depends. What's exactly do you want to prevent? It doesn't seem like a very big problem if someone tries to include an improper adderss or nonexistent file, since that would simply make $data an empty string (depending on your level of error reporting and whether you display or hide warnings). If the included file decides to call ob_get_clean() or something like that $data will be false. I can't think of what else you realistically want to prevent. Building a page with multiple templates is best done by using a good template class. Allowing the inclusion of external PHP files from a CMS will pose a risk if non-developers have access to the CMS as well. You're basically allowing anyone to add (potentially untested) code to a live site and I would recommend against doing it. If you want people to be able to include, say, additional HTML content, use file_get_contents() instead. Michiel
Re: [PHP] PHP include security
Hi Michiel! Thanks for the help, I really appreciate it. :) It depends. What's exactly do you want to prevent? It doesn't seem like a ...snip... include, say, additional HTML content, use file_get_contents() instead. Very good points. My goal was to write a plugin that would allow me to include some static HTML template file and get the ?php include...? tags out of my CMS template. With that said, I think the only people using this code will be the developers of the templates, and not your standard user. I opted to use output buffering and readfile() for the speed, and include() would be an option if developers want to execute the code in the included file. Would file_get_contents() be faster than readfile and output buffering? Would using file_get_conents() and eval() be faster than using include() and output buffering? Without boring you all to death, I am mostly interested in learning new stuff! I actually don't think anyone will use this code other than myself. :D But I definitely agree with all your points. Thanks so much for you help! Have a great day! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP include security
What do ya'll think? Any suggestions? Sorry for the duplicate posting... I had some problems signing-up for the list. :( Also, I moved my test code to sniplr: http://snipplr.com/view/32192/php-security-include-path-cleansing/ TIA! Cheers M -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Include security?
Hi, Code: = ob_start(); switch ($this-command) { case 'include': @include($x); break; default: @readfile($x); } $data = ob_get_contents(); ob_end_clean(); = The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to clean and secure the include string? Maybe something along these lines (untested): $invalidChars=array(.,\\,\,;); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,,$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Include security?
if allow_url_include is turned off, you don't have to worry much about http, if '.' is a invalide char, you can't include *.php... the include path probably should be the inc(whatever the name) folder(not accessible from web) instead of the web root and '..' should be disallowed On Fri, Apr 16, 2010 at 4:09 PM, Micky Hulse mickyhulse.li...@gmail.com wrote: Hi, Code: = ob_start(); switch ($this-command) { case 'include': @include($x); break; default: @readfile($x); } $data = ob_get_contents(); ob_end_clean(); = The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to clean and secure the include string? Maybe something along these lines (untested): $invalidChars=array(.,\\,\,;); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,,$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Include security?
if allow_url_include is turned off, you don't have to worry much about http, if '.' is a invalide char, you can't include *.php... the include path probably should be the inc(whatever the name) folder(not accessible from web) instead of the web root and '..' should be disallowed Hi Ryan! Many thanks for your help, I really appreciate it. :) How does this look: http://sandbox.hulse.me/secure_inc_str.txt How could my code be improved? Thanks again for the help, I really appreciate it. :) Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP include security
Hi, Code: = ob_start(); switch ($this-command) { case 'include': @include($x); break; default: @readfile($x); } $data = ob_get_contents(); ob_end_clean(); = The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to clean and secure the include string? Maybe something along these lines (untested): $invalidChars=array(.,\\,\,;); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,,$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php