Security is a big topic with web developers, who are likely to get a bad reputation as a lazy programmer if clients complain their websites have been hacked by some shape or form. With the release of PHP 5, developers are urged to make the switch to a more secure platform over PHP 4. One example of the better security is with including files into an application.
XSS attacks, or what are called cross-site scripting attacks, are attacks in which a hacker injections code from a remote website. This attack is prevalent on PHP 4 platforms, but not so much on PHP 5 platforms due to a change in how configurations are built on default. PHP 4 allows limitless control of absolute file paths, where PHP 5 has cracked down on the absolute paths and instead warrants other methods of achieving file inclusion.
An XSS attack will seek to inject code into a webmaster's website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become "zombies" that could spam or attack other websites and users at will, all without the webmaster knowing.
XSS attacks function mostly because "allow_url_fopen" is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
For webmasters who don't like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal.
In Conclusion
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result. - 16039
XSS attacks, or what are called cross-site scripting attacks, are attacks in which a hacker injections code from a remote website. This attack is prevalent on PHP 4 platforms, but not so much on PHP 5 platforms due to a change in how configurations are built on default. PHP 4 allows limitless control of absolute file paths, where PHP 5 has cracked down on the absolute paths and instead warrants other methods of achieving file inclusion.
An XSS attack will seek to inject code into a webmaster's website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become "zombies" that could spam or attack other websites and users at will, all without the webmaster knowing.
XSS attacks function mostly because "allow_url_fopen" is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
For webmasters who don't like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal.
In Conclusion
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result. - 16039
About the Author:
Learn more on php include error and url file access is disabled in the server configuration.
