logo-dw

Go Back   Dreamweaver Club Forums > Hand Coders Forum > PHP
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 04-23-2012, 11:35 AM   #1
jmichae3
 
Join Date: Dec 2010
Posts: 366
Default is this menu inclusion method secure?

PHP Code:
<?php include($_SERVER['DOCUMENT_ROOT'].'/common/horizontal-menu.php'); ?>
I *think* this code is OK,but I am not totally sure, I am hoping some people here will poke some holes in it before I decide to use it.

I am not totally up on all aspects of PHP security, I am a little rusty. I could use some pointers. If this is not secure, I would like to know. If I could know why, that would be even better. thanks.

the concept is, I have a web-root-based absolute path /common/horizontal-menu.php which gets appended to the web server's document root path, which makes a full path for include towork with, since (unfortunately) it only likes full system filepaths rather than web-root-based filepaths.

the code works great in every directory I have tried it in (unlike web root absolute paths I have tried). question is, is it safe?
thanks in advance...
__________________
------------
Jim Michaels
HTML Code:
improperly<strong>nested<em>elements</strong>cause</em>
browser confusion (I believe the term is 'tag soup')!
jmichae3 is offline   Reply With Quote
Old 05-16-2012, 09:39 PM   #2
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

is there a reason in your requirements why you are using..

PHP Code:
$_SERVER['DOCUMENT_ROOT'
cant you just use a relative path?

PHP Code:
 include('common/horizontal-menu.php'); 
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Old 05-17-2012, 01:48 AM   #3
jmichae3
 
Join Date: Dec 2010
Posts: 366
Default

not for what I am trying to do. when you are IN /somewhere/foozle/something.php, you can't just do
PHP Code:
include('/common/menu.php'); 
that doesn't work because include uses absolute filesystem paths. you have to use
PHP Code:
$_SERVER['DOCUMENT_ROOT'
in your path in order for things to work. I did some testing (with frustration and disgust).

I suppose one good thing about this is, that you can include PHP files which are in another part of the filesystem OUTSIDE the web root and your stuff is protected my guess would be: more hack-proof? don't know. just a guess. I am no expert on PHP security.

maybe that's a good idea and maybe it's not. maybe someone can chime in on that.
__________________
------------
Jim Michaels
HTML Code:
improperly<strong>nested<em>elements</strong>cause</em>
browser confusion (I believe the term is 'tag soup')!
jmichae3 is offline   Reply With Quote
Old 05-17-2012, 01:51 AM   #4
jmichae3
 
Join Date: Dec 2010
Posts: 366
Default

and I have a 700-page site (some smatterings of PHP), so I am not about to go and do relative paths for all that stuff if I can avoid it if I did use lots of PHP or for somereason needed to convert everything to PHP.
__________________
------------
Jim Michaels
HTML Code:
improperly<strong>nested<em>elements</strong>cause</em>
browser confusion (I believe the term is 'tag soup')!
jmichae3 is offline   Reply With Quote
Old 05-17-2012, 06:38 AM   #5
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

There is nothing wrong in using $_SERVER['DOCUMENT_ROOT']*
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:34 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2006 DreamweaverClub.com