Frequently Asked Questions

Security risk?

I’m using the include format “layout.php?x=file.html”, but someone told me that there could be a security problem with this. Is there?

In fact, yes, there are several possible security risks with this. Anyone could write a PHP script with malicious code and include it in your page, because it is your server that parses and runs that include. And even if no files from remote servers can be included, if the open_basedir setting isn’t correctly configured this could mean that someone can abuse this function to include and therefore view any of the server’s configuration files. Even if PHP has only access to folders beneath your web directory, if you have any configuration files containing passwords stored there that are not enclosed in php tags (for example config files for a Perl script), someone who knows the location of these files could include and thus view them.

Therefore it is usually better to do it the other way round and make a php page for every content page and “wrap” it in the layout with header and footer includes. It’s more secure, and better to crawl for search engines since some of them won’t index pages with the same filename and different parameters.

For more information on this, please read this forum thread.