Includes
Never include a file based on user input, for example $file = $_GET['file']; include($file); A user could easily use that to include sensitive files (such as your password directorys). This could also be used to include a file from another server, at best this could cause your script to return an error, at worse delete a database (or access sensitive info from it).
$file = $_GET['file']; switch($file){ case '': include("pages/index.php"); break; default: include("pages/index.php"); };
Is secure because it only loads the pages above, so if a user tried ?file=http://101.101.101.10/defaced.php They would only see your Index page. Another solution could be to add your pages (secure pages) to an array, and check the input to see if it is the array.
$file = $_GET['file']; $files = array('index.php', 'cast.php', 'google.php'); if( in_array($file, $files) ) { include($file); { else { die("Unlucky!"); }
File Extensions
You may have seen allot of scripts using .inc , .mdu or any other extension they invent for Include files. CuteNews for example includes files like, install.mdu , The problem being if somebody sets their browser to http://mydomain.com/include/install.mdu , The file contents will be displayed. So if you do not want a files contents to be viewable (Maybe it contains your Database info, or other sensitive information) use .php extension! (install.mdu.php would work also)
Register Globals
As of PHP 4.2 Register Globals are turned of by default, and for good reason. Using these makes scripts very insecure, this small paragraph will tell you why. Lets say I created a login script, I wanted to check if the Username and Pass are correct to used if ($username == 'Chandler' and $password == 'Badabing') $authorized = true; }; That seems right, whats the problem? The problem is a register global is auto created for information sent via form (post), url (get), Cookie or Session.
We want to check the form, but PHP will check all 4, I could easiy add ?authorized=1 to the location of the Login script, and be viewing the Colonel's secret recipe instantly. :angry: So now the secret tatic you have being planning to unveil is being posted all over the net.
PHP has some new functions for getting info, which will be discussed in other tutorials. You should now have an understanding of making PHP script securer, any User Input should be validated before you carry out your given process, But thats not the end of it (it is for this tutorial though.