Is the use of the dirname(__FILE__) function or the __DIR__ magic constant appropriately safe to disable a local file inclusion or a remote file inclusion in a require() that receives parameters by GET?
Is there a solution to this problem?
Placing the absolute path to directories avoids accessing other folders?
No. If the attacker puts ../ , knowing the file path, it can access an unwanted directory anyway.
That is, for the following structure below:
app/
database.php
web/
index.php
pages/
home.php
contact.php
If web/index.php is the "root" of your application, but the malicious user puts ?page=../app/database.php , it theoretically would be doing what PHP does include normally.
For you to understand. All this below results in the same operation
include 'app/database.php';
include __DIR__ . '/app/database.php'
#supondo que estamos na pasta 'web'
include __DIR__ . '../app/database.php';
Note that providing an absolute name for the root directory of a given directory or file does not prevent other (outside) files from being accessed.
In this case, I think it is very appropriate for functions to be loaded with specific treatments for page load through get .
Example:
function page_include($page)
{
if (strpos($page, '..') !== false) {
throw new Exception("Caractere inválido detectado");
}
include WEB_DIRECTORY . '/pages/' . $page;
}
Maybe this is basic. You could include other checks, avoiding attacks.
Remote file inclusion
allow_url_include is a setting that allows you to use include in urls (which I do not think is good). On this I recommend that you disable the allow_url_include setting, because in that case, allowing such a setting is giving your hands-kissed application into the hand of malicious people.
PHP injection
It's another common problem involving files or folders in PHP. Read about it here: What is PHP Injection? What's the difference between it and SQL Injection? And how to avoid it?