Home/ Questions/Q 6816651
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T20:57:04+00:00

In the PHP manual for include , there is a user contribution that states

  • 0

In the PHP manual for include, there is a user contribution that states the following:

include() when used to load configuration information has a scary
security flaw, if someone corrupts the PHP header in the included file
it will happily print the config file to every page which includes it
as plain text.

Luckily there is a quick and easy workout for this behaviour (which is
alluded to in this article): 

<?php
ob_start();//Hook output buffer
include("config.php");
ob_end_clean();//Clear output buffer
?>

I know that the following will prevent any output until the output buffer is cleared/unhooked/whatever. However, what I am unsure about, is the if someone corrupts the PHP header in the included file – is that something that can be done client-side / remotely, or would that be if I accidentaly gave the php file a different file extension?

To make a long story short: How COULD an outside user corrupt the php header?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, let’s say you’ve got a file seekritpasswords.php that you include, and it contains your database credentials. You’d have a file that looks something like:

    <?php

$db_user = 'fred';
$db_passwd = 'barney';
$db_name = 'wilma';
$db_host = 'betty';

    The php “header” is the <?php portion. If that becomes corrupted, say by adding a space to it, or removing it entirely, etc… Then the file is no longer a php script, as it does not contain the header which triggers “php mode”. it’ll just be plain text, and gets treated as regular output like any other plain text file. Remember, there’s no such thing as a PHP script. There’s only files which contain one or more PHP blocks, and those blocks are delimited by <?php ?> tag sets.

    • 0