-1

What are the security implications of passing a get variable through an include?

Example:

index.php:

$lastname = $pulleddatabasevalue;

include "../includes/header?lastname=$lastname";

header.php:

echo $_GET["lastname"];

As the variable is dynamic, I have struggled to make include() or sessions work to assign the variable $lastname with the database value within the php include. However, $_GET here has worked fine. It doesn't show up on the browser address bar, thus can't be manipulated in a hostile manner there. Is there another way someone with malicious intent could work this code? Assume that the include directory is locked and I'm only referring to index.php.

Pete_1
  • 981
  • 3
  • 14
  • 23
  • 2
    if you define the variable before the include you can use it like any other variable. –  Jun 30 '14 at 23:13
  • There are no security implications, because it doesn't work like that – PeeHaa Jun 30 '14 at 23:17
  • 2
    This question appears to be off-topic because it is based upon an incorrect assumption that above code works. Hence it cannot be really answered. – PeeHaa Jun 30 '14 at 23:21
  • I can attest that the code works. The URL in the real code is different. And I obviously have open and closing PHP tags inside header.php, as well as index.php. But it does work just fine. – Pete_1 Jul 01 '14 at 01:29
  • In reading others comments, it seems that it shouldn't work. I'm really curious as to why it does work for me? It grabs the value of $lastname using GET. Strange. – Pete_1 Jul 01 '14 at 01:35

3 Answers3

2

Sorry, no way to pass get parameters to included file... See:

PHP include() with GET attributes (include file.php?q=1).

Include is a strict let's name it "Physical function". To make a get request, you must make a request. Include just read the file from the server.

BTW. I'm curious, how it is possible, you made it work. I think there is some misunderstood in your code.

You should think about include, as a COPY PASTE function.

In that case:

$var = true;
include ('include.php');

include.php:

var_dump($var);

should echo bool(true).

Hope it helps.

When talking about security issues, as far as I'm concerned, include in the way I describe, should not create any new security holes. But you should check all the permissions of included files, to be 100% sure.

Community
  • 1
  • 1
Jacek Kowalewski
  • 2,761
  • 2
  • 23
  • 36
0

The security implications of outputting user supplied input is the same no matter how it is done: ESCAPING AND VALIDATION IS ESSENTIAL! Otherwise you are implementing big security holes.

Apart from that, there isn't any difference whether you directly access $_GET, or first stuff that value into another variable and access that inside your include.

The only difference is of general software maintenance: The former usually is considered bad because it is access to a global variable, while the latter might be part of a function call and might encapsulate the variable name better.

Your code, however, is wrong. You cannot pass query parameters as part of the filename. It works because $_GET is available as an array everywhere without any further code (read "superglobal variable" in the PHP documentation).

Sven
  • 69,403
  • 10
  • 107
  • 109
0

Keep it simple and don't confuse...

index.php

    $lastname = $pulleddatabasevalue;
    include "../includes/header.php";

header.php

    echo $lastname;

External refs. and recommended read:

gmo
  • 8,860
  • 3
  • 40
  • 51