Zubrag.com
October 14, 2019, 12:07:59 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: include vs readfile / file_get_contents - security concern  (Read 10457 times)
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« on: March 14, 2007, 11:46:01 AM »

Lets say we have php script named get-image.php:

$file = $_GET['image-filename'];

// here would be some code to make sure file is really image, ...

// here we would output image to the browser
header("Content: image/jpeg");
include($file);
die();


include statement will try to parse $file as php. Even if $file is a legal image, it may have some comments inside.

What if comment is <?php rm(__FILE__); ?>

it would delete get-image.php from your server.

Conclusion:
- use include and require statement for including php scripts only
- use readfile, file_get_contents, etc. for including images, texts, and other non-php stuff

Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC