I've implemented a PHP auto_prepend_file in Apache's httpd.conf file to password protect every page on the server. Let's assume the the prepended file is properly coded and secured. Are there any serious security risks to using an auto_prepend_file method? I'm worried this opens up some sort of cross scripting attack or access can spoofed. Thanks for the help :)
php_value auto_prepend_file "path/to/application/auth/include/secure.inc"
As long as your script
die() s properly if the user is not authenticated (also after
header() redirects, very important!) there is no fundamental problem I can see with this.
The manual doesn't give much reason to worry either (emphasis mine):
The file is included as if it was called with the require() function, so include_path is used.
just be careful to always use an absolute path to avoid glitches with relative paths.
The only attack that I can think of is injecting a
.htaccess file somewhere underneath the directory root that cancels the INI setting by setting
php_value auto_prepend_file none
so you should be careful not to accept file names for uploaded files from the user without filtering, for example.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki