How To Correctly Include A Remote File Securely With PHP 5
How To Correctly Include A Remote File Securely With PHP 5 |
| Articles |
      
Security is a big topic with web developers, who are likely to get a bad reputation as a lazy programmer if clients complain their websites have been hacked by some shape or form. With the release of PHP 5, developers are urged to make the switch to a more secure platform over PHP 4. One example of the better security is with including files into an application. Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files. One popular method of how servers are being exploited with XSS attacks is by using them as a proxy server in which to do illegal activity. If the hacker is careful, he or she won't be caught and will be able to send out spam mail, or even conduct attacks against other websites and servers. Because the attack seems to come from the webmaster's server, the hacker could likely never be caught and cause the webmaster personal liability. PHP 5 has fixed the problem by setting the PHP configuration "allow_url_fopen_ to "off" in the configuration file. This allows webmasters to still use the include function, but they can't use absolute paths anymore. One way around this is to simply use relative paths instead, which are easier to type out and are a cinch to put into action. Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths. For webmasters who don't like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal. In Conclusion PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result. |
Tags