PHP Remote Include File Vulnerability Analysis Page 1/6_PHP Tutorial

Almost all cgi programs have such bugs, but the specific manifestations are different.

1. Dangerous functions involved [include(), require() and include_once(), require_once()]

include() && require() statement: include and run the specified file .

The two structures are identical except for how they handle failure. include() produces a warning and require() causes a fatal error. In other words, use require() if you want to stop processing the page if a missing file is encountered. This is not the case with include() and the script will continue to run.
If "allow_url_fopen" is enabled in PHP (the default configuration), it is also possible to specify files to be included using URLs (via HTTP or other supported wrapping protocols) instead of local files. If the target server interprets the target file as PHP code, you can pass variables to the included file using the URL request string for HTTP GET.
Detailed reference: http://cn.php.net/manual/en/function.include.php

require_once()　&&include_once()
require_once () and include_once() statements are in Includes and runs the specified file during script execution. This behavior is similar to the require() statement, the only difference is that if the code in the file is already included, it will not be included again. It is suitable for situations where the same file may be included more than once during script execution, and you want to ensure that it is only included once to avoid problems such as function redefinition, variable reassignment, etc.
Detailed reference: http://cn.php.net/manual/en/function.require-once.php

2. Why include files

Programmers write programs Sometimes, I don’t like to do the same thing or write the same code (such as some common functions) several times, so I write the code that needs to be shared in a separate file, such as share.php, and then in other file to make include calls. In PHP, we use the functions listed above to achieve this purpose. Its workflow: If you want to include share.php in main.php, I will write include("share.php") like this The purpose is achieved, and then you can use the functions in share.php. There is no problem with hard-coding the file name that needs to be included, and there will be no loopholes. So where is the problem?
Sometimes you may not be sure which file needs to be included. For example, let’s look at the code of the following file index.php:
[code]

if ($_GET

http://www.bkjia.com/PHPjc/320707.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/320707.htmlTechArticleAlmost all cgi programs have such bugs, but the specific expression methods are different. 1. The dangerous functions involved [include(), require() and include_once(), require_once()] i...