Prevent Code Injection in PHP include files

While discussing Coding Standards it was not long ago I argued against adding ?> at the end of php files. But miqrogroove pointed to me an interesting aspect why it actually can make sense to have it and an additional return statement at the end of each file: That one (merely the return statement) can prevent an attacker to append payload code to existing PHP files, for example known include files. The countermeasurement is pretty easy, just add a return statement at the end of the file. It will end the include “subroutine”:

  /* all the include file's php code */

  return;
?>

Well infact, a simple return; statement can as well without the ?>, so I can stay with my habits🙂 . Maybe a consideration for the files in the wordpress project? Include filenames and locations are publicly known, so why not?

This entry was posted in Code Smells, Hakre's Tips, PHP Code Smells, Pressed and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s