I've implemented a PHP auto_prepend_file in Apache's httpd.conf file to password protect every page on the server. Let's assume the the prepended file is properly coded and secured. Are there any serious security risks to using an auto_prepend_file method? I'm worried this opens up some sort of cross scripting attack or access can spoofed. Thanks for the help :)

In httpd.conf:

php_value auto_prepend_file "path/to/application/auth/include/secure.inc"

Accepted Answer

As long as your script die() s properly if the user is not authenticated (also after header() redirects, very important!) there is no fundamental problem I can see with this.

The manual doesn't give much reason to worry either (emphasis mine):

The file is included as if it was called with the require() function, so include_path is used.

just be careful to always use an absolute path to avoid glitches with relative paths.

The only attack that I can think of is injecting a .htaccess file somewhere underneath the directory root that cancels the INI setting by setting

php_value auto_prepend_file none

so you should be careful not to accept file names for uploaded files from the user without filtering, for example.

Written by Pekka
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki