PDA

View Full Version : is this menu inclusion method secure?


jmichae3
04-23-2012, 10:35 AM
<?php include($_SERVER['DOCUMENT_ROOT'].'/common/horizontal-menu.php'); ?>

I *think* this code is OK,but I am not totally sure, I am hoping some people here will poke some holes in it before I decide to use it.

I am not totally up on all aspects of PHP security, I am a little rusty. I could use some pointers. If this is not secure, I would like to know. If I could know why, that would be even better. thanks.

the concept is, I have a web-root-based absolute path /common/horizontal-menu.php which gets appended to the web server's document root path, which makes a full path for include towork with, since (unfortunately) it only likes full system filepaths rather than web-root-based filepaths.

the code works great in every directory I have tried it in (unlike web root absolute paths I have tried). question is, is it safe?
thanks in advance...

davidj
05-16-2012, 08:39 PM
is there a reason in your requirements why you are using..

$_SERVER['DOCUMENT_ROOT']

cant you just use a relative path?

include('common/horizontal-menu.php');

jmichae3
05-17-2012, 12:48 AM
not for what I am trying to do. when you are IN /somewhere/foozle/something.php, you can't just do include('/common/menu.php'); that doesn't work because include uses absolute filesystem paths. you have to use $_SERVER['DOCUMENT_ROOT'] in your path in order for things to work. I did some testing (with frustration and disgust).

I suppose one good thing about this is, that you can include PHP files which are in another part of the filesystem OUTSIDE the web root and your stuff is protected my guess would be: more hack-proof? don't know. just a guess. I am no expert on PHP security.

maybe that's a good idea and maybe it's not. maybe someone can chime in on that.

jmichae3
05-17-2012, 12:51 AM
and I have a 700-page site (some smatterings of PHP), so I am not about to go and do relative paths for all that stuff if I can avoid it if I did use lots of PHP or for somereason needed to convert everything to PHP.

davidj
05-17-2012, 05:38 AM
There is nothing wrong in using $_SERVER['DOCUMENT_ROOT']*