Well I really don't need an php intensive ANYTHING on my website, so don't criticize me for my rather simple script .

I have this running in my "index.php" file:

Code:

<?php

include('overall_header.html');
include('index.html');
include('overall_footer.html');

?>

I use it to separate my documents appropriately, in case a change is necessary.

For example: Lets say I made a spelling error in the header, and i have 1000 pages in HTML. I would have to go to each of those files and fix the error. However with this, i would just have to modify overall_header.html.

Each file i want will create will have the overall_footer.html and overall_header.html, and only a different body file.

I hope this is making sense.

The Question
I know that there is no risk of running pure html files. No places to be hacked or have things injected, and you are generally safe. I also know that php can be a little tougher to secure.

I was wondering if those include commands could be exploited in anyway?

Since you are using hard coded references in the includes, there is no way of this being exploted, except if someone were to get into your FTP (then you would have bigger problems).

As long as you are publishing static read only files there is very little risk IMO.

The hackers exploit DBs, forms and write files.

For a little added "feel good" security and to keep the include files from being indexed you could name them index.html.inc (or most anything you like on Linux server). The included files are parsed as a contribution to the final html output so their names do not matter to the server.

Okay thats great. Thanks guys

One thing to check is that .html files don't run PHP on your server. Servers can be configured to run PHP and then you'd need to make sure that there's nothing insecure in those included files. The risks for including files which aren't executable is when you do something like this:

PHP Code:

<?php
include ($_GET['file_name']);
?>

Hackers would run rampant with that. If I need to allow a dynamic file choice, I do something like this

PHP Code:

<?php
$sanitized_file = preg_replace('/[^a-z0-9\-_]/i','',substr($_GET['file_name'],0,-5));
include ($sanitized_file.'.html');
?>

NOTE: The substr command strips off the last 5 characters which should be the extension if using .html as the extension
or, if I can be a bit more restrictive:

PHP Code:

<?php
$ok_files = array(''=>'default_file_name.html',
                  'file_choice_1'=>'file_1.html', 
                  'file_choice_2'=>'file_2.html',
                  'file_choice_3'=>'file_3.html'
                 );
$sanitized_file_name = $ok_files[$ok_files[$_GET['file_name']]];
include ($sanitized_file_name);
?>

By using $ok_files twice in the example above and setting '' to have a value in that array, it auto-filters out bad entries.

I am not using php in html files. I am using a php file to call 3 html bodies.

I understand. That doesn't mean that your HTML files do not execute PHP code. A server may do that for you without ever asking your permission.

So, by calling them with php, the html files can now act in the same way as a php file. Or am I not getting this?

You're getting it. Servers can be configured to make any extension go through the PHP engine. It's probable that it's not setup this way on your server, but your question was about making things secure, so I figured that I'd point this out.

JermyM is correct and servers are not normally set that way unless you modify the .htaccess file.

The simple way to test this is just put some php code in an html file, place it on your server and view the file in a browser.

This will do the job for you:

Quote:

<?PHP
print "hello world html is parsed on your server";
?>
print "if you only see this with the word print, the quotes and semicolon, html is not parsed on your server.";

EDIT: Name that file anything.html

Personally, I almost always include other .php files into the main body of my pages, because it is very helpful to include dynamic files, whether they are functions or simply behave differently depending on page variables.

@wayfarer07: I agree too. I don't use html files at all in my coding. The OP, however, seemed very new, though, so I thought it prudent to give him the minimal amount to get on his way.

@OP: You may want to check http://phpsec.org/ and other PHP security resources out there.

In terms of security, along with some of the other good points mentioned, I would be included any file via an absolute path by use of $_SERVER['DOCUMENT_ROOT']. That way, you know that you will always be starting from the root path of you web directory.

I don't believe that variable is always defined.

PHP Code:

dirname(__file__) 


should give you the path to the current file.

It's always defined for me. Why wouldn't it be?

Server configuration variations. I believe if you search the PHP site for that variable, you'll see some who have had problems b/c the variable wasn't defined. dirname, and __file__, however, are always defined.

The best solution for me is define(). I can define any folder in or out of root folder.

Code:

define("PATH", "path/to/folder/");
$include = PATH . "somefile.php";

Cool, will take that advice on board.
Cheers.