This question already has answers here:
PHP include() with GET attributes (include file.php?q=1)
(7 answers)
Closed 8 years ago.
What are the security implications of passing a get variable through an include?
Example:
index.php:
$lastname = $pulleddatabasevalue;
include "../includes/header?lastname=$lastname";
header.php:
echo $_GET["lastname"];
As the variable is dynamic, I have struggled to make include() or sessions work to assign the variable $lastname with the database value within the php include. However, $_GET here has worked fine. It doesn't show up on the browser address bar, thus can't be manipulated in a hostile manner there. Is there another way someone with malicious intent could work this code? Assume that the include directory is locked and I'm only referring to index.php.
Sorry, no way to pass get parameters to included file... See:
PHP include() with GET attributes (include file.php?q=1).
Include is a strict let's name it "Physical function". To make a get request, you must make a request. Include just read the file from the server.
BTW. I'm curious, how it is possible, you made it work. I think there is some misunderstood in your code.
You should think about include, as a COPY PASTE function.
In that case:
$var = true;
include ('include.php');
include.php:
var_dump($var);
should echo bool(true).
Hope it helps.
When talking about security issues, as far as I'm concerned, include in the way I describe, should not create any new security holes. But you should check all the permissions of included files, to be 100% sure.
The security implications of outputting user supplied input is the same no matter how it is done: ESCAPING AND VALIDATION IS ESSENTIAL! Otherwise you are implementing big security holes.
Apart from that, there isn't any difference whether you directly access $_GET, or first stuff that value into another variable and access that inside your include.
The only difference is of general software maintenance: The former usually is considered bad because it is access to a global variable, while the latter might be part of a function call and might encapsulate the variable name better.
Your code, however, is wrong. You cannot pass query parameters as part of the filename. It works because $_GET is available as an array everywhere without any further code (read "superglobal variable" in the PHP documentation).
Keep it simple and don't confuse...
index.php
$lastname = $pulleddatabasevalue;
include "../includes/header.php";
header.php
echo $lastname;
External refs. and recommended read:
http://www.php.net/manual/en/function.include.php
http://www.php.net/manual/en/reserved.variables.get.php
Related
This question already has answers here:
URL rewriting with PHP
(5 answers)
Closed 7 years ago.
Perhaps I'm using the wrong search terms to try to find this online, but I am trying to accomplish the task of passing a variable in a URL path, with using an identifier.
For example, here is my current URL: http://www.myurl.com/test/index.php?name=bob
On my index.php page, I would set something along the lines of $name = $_GET['name']; and have no issue using this variable.
My goal, however, would be to use the URL: http://www.myurl/test/bob/ and still be able to receive "bob" as the name variable in my script.
Is this possible, hypothetically? Thank you!
put in your htaccess a mod_rewrite statement like
RewriteRule ^test\/([a-z]+)\/?$ index.php?name=$1
One of the easiest ways to do this (and also a bit more secure) is instead of using a GET statement, using a session variable. You could change the url to be whatever you like using mod_rewrite as you have suggested, however you can still access the variable without anything special.
For instance, you just start your session like so
session_start();
then set your session variable, like so (assuming you have already defined $name):
$_SESSION['name'] = $name;
and then on the page where you'd want to get name, put session_start(); at the top of the page, and then, instead of $_GET['name'] just call the variable as $_SESSION['name'] instead.
This way you don't really need to worry about using the URL for passing the variable from one page to another. It won't be affected by rewriting.
Of course, your other option, if you wish to continue using it as a GET variable is this: https://stackoverflow.com/a/8228851/3044080
I would like to prevent php scripts from being able to modify the contents of the $_SERVER global.
Specifically I don't want to allow
unset $_SERVER['foo'];
but it would be nice to forbid any modification, e.g. a module or php.ini declaration.
Is there one?
If you're in control of the root level script you could just copy it:
$_my_server = $_SERVER;
I think it would be helpful to know your reason for this; the $_SERVER variable shouldn't be modified by included scripts, because there's rarely a reason for someone to need to modify it. It's generated at run-time so any changes aren't persisted to subsequent runs of the script.
Also your extra point about php.ini declarations is a bit more confusing - the point of many componentes of $_SERVER is to inform scripts about those declarations, so having it send fake data would seem a very odd use case and maybe not possible.
Not as far as i'm aware.
If you are relying on the contents of $_SERVER throughout you code, and dont want other code (plugin?) to modify it, your best option is to make a copy during the bootstrap stage of your application, then use that copy throughout your code:
$serverDetails = $_SERVER;
$foo = $serverDetails['foo'];
Is it possible for a client to modify PHP superglobal variables, especially $_SERVER, somehow - maybe not in a common way?
In other words, is this code secure:
if (($this->error->getCode()) == '404') {
ob_clean();
echo #file_get_contents("http://".$_SERVER['SERVER_NAME'].'/404.html');
}
This code is fine - SERVER_NAME can't be modified. The ones to be careful with are $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'], as a user could add some js to the address bar - if these are written out to the screen they should be carefully escaped.
Your code is fine though.
Yes, that's fine.
No user can change any variable of your code unless you leave it open to them using some sort of POST/GET/COOKIE etc
On a side note, if the file is on your server, why are you using file_get_contents()?
In this case, since the $_SERVER variable only contains data related to the web server that the script is being executed on, I don't see any potential security issues unless the web server itself has been compromised. In that case, you've got a lot bigger problem on your hands. The main exception to this rule is if you use PHP_SELF or REQUEST_URI since those values can be altered via user input in the URL bar.
I've been doing PHP for a while now, never needed assistance, but totally confused this time. I have a single line of code with one echo statement.
Problem: URL parameters are automatically assuming PHP variable values of the same name. For example, I have a URL with a parameter named var_name like this:
http://www.example.com?var_name=abc123
and a 1-line PHP script with a variable named var_name, like this:
echo $var_name;
then I get output on the page of: abc123
This is the only code in the PHP page! This behavior is exactly how I expect $_GET to work, but I'm not using it.
I am having this problem only on 1 specific server, which is running PHP 5.2. I have tested on 4 other servers, none have this behavior. I assume it's a PHP config issue, but running default config and can't find anything in config documentation.
This is called register globals. If a server has register globals turned on, then you can do this.
I would recommend not to have register globals on any server. Since it can introduce a security flaw in your system.
An example of a security flaw with this.
if($auth == true)
{
// sensitive stuff here
}
If auth is just a regular variable, then I can do this in the URL.
http://www.example.com/page.php?auth=true
And see the sensitive information.
You probably have register_globals enabled:
See the manual for info.
I am not a PHP developer but I'm assessing the security of a PHP5 application.
The author relied on extract($_POST) and extract($_GET) in some places, outside of functions.
My suggestion is to call extract($_POST, EXTR_PREFIX_ALL, 'form') and change the code accordingly, but his stance is that any variable is being redefined inside subsequent includes anyway.
I can easily change the superglobals by providing, for instance, _ENV=something inside the post values, but superglobals are arrays and I'm turning them into strings, I'm not sure it can have evil effects.
I could have a look at the several isset() uses and go backwards from there.. but I imagine there are attacks of this kind that don't require knowledge or divination of the source.
Is there some interesting variable to be set/changed, maybe in the innards of PHP?
Thanks
For assessing "might" try this:
File:htdocs/mix/extraction.php
<?php
extract($_GET);
var_dump($_SERVER);//after extract
?>
and call it like that:
http://localhost/mix/extraction.php?_SERVER=test
After the extract on my Xampp the output looks something like that:
string(4) "test"
If any one knows anything about your variable naming and you use extract on $_POST or $_GET globals, then you have a serious problem.
With a bit of time and work it would be possible to find out some namings by try and error.
Without knowing your source an intruder could try to hijack any global variabl like $_SESSION (but here it will only take any effect if you do the session_start(); before the extract($_GET), $_COOKIE or $_SERVER and even set specific values for them like that:
//localhost/mix/extraction.php?_SERVER[HTTP_USER_AGENT]=Iphone
If you use extract like that:
extract($var,EXTR_SKIP);
extract($var,EXTR_PREFIX_SAME,'prefix');
extract($var,EXTR_PREFIX_ALL,'prefix');
then you will be perfectly safe.
A common name for the database connection is $db, but that would just blow up the system, you can overwrite the $_SESSION variable.
session_start();
$_SESSION['test'] ='test';
var_dump($_SESSION);
$vars = array("_SESSION" => 'awww');
extract($vars);
var_dump($_SESSION);
output
array(1) {
["test"]=>
string(4) "test"
}
string(4) "awww"
Overwrite variables $idUser or other fun stuff, want to mess up the iterables?
Pass array('i' => 5) to extract, there are all sorts of fun you can have depending on scope.
Edit:
I just thought of another, if the form is handeling file uploads, why not try and overwrite variables named $file, $fileName, $fileExtention and see if you can get it to read files outside your permission level.
I'm not aware of any universal exploitability.
Anyway, it definitely is awfully bad practice.
What the script's author is saying is that the script's security relies on him not forgetting anything in the subsequent includes, which is horrible.
For strong general arguments against global extract()ing, see What is so wrong with extract()?