The Absent Minded

Security is a big topic with web developers, who are likely to get a bad reputation as a lazy programmer if clients complain their websites have been hacked by some shape or form. With the release of PHP 5, developers are urged to make the switch to a more secure platform over PHP 4. One example of the better security is with including files into an application.

Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.

What is really scary about an XSS attack is that it can enslave a server into doing the evil bidding of hackers all around the world, and without the administrator knowing a single thing. XSS attacks have been known to be the backbone of direct denial of service attacks, and some even act as proxies for sending out spam mail. In both instances, an administrator may be in trouble for something they didn’t do.

XSS attacks function mostly because “allow_url_fopen” is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.

There is still a way to use the include function like an absolute file path- with a server variable that finds the root path to the website on the server. By finding this, webmasters will be able to use absolute file paths that reside on their own server. The variable in question is referenced to as “$_Server['document_root'],” but keep in mind not all hosts allow for this variable to operate. If not, other workarounds may be necessary, such as using the “file_get_contents” function that is much like the include function.

It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.

Closing Comments

PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result.

Learn more about include url file access is disabled in the server configuration and php include errors.

This entry was posted on Thursday, January 29th, 2009 at 1:44 am and is filed under General, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.