PHP, RFI, and keeping things secure

Question

I am working on a website which the good user inputs a website domain name, http://www.mysite.com.

But I have been reading about remote file inclusion (RFI), and it is pretty interesting. Simply by adding ?page=http://www.mysite.com/index.php? or something near that I get some type of error (500). Other peoples sites using wordpress/ PHP if I do the same I also get an error.

I do not know if this means the script was run, but how can I keep my input clean? I already use REGEX, but I want the user to be able to input any website and process it accordingly. I certainly do not want significant security holes anywhere in my script.

Good night here in Boston on the East Coast [EST]

Answer 1

The HTTP 500 error you're seeing sounds like something that mod_security, a module for Apache, is generating. mod_security scans all input against a set of security rules, one of which probably is checking for RFI. This is a first line of defense.

To protect against RFI, there's a few other things you can do. First, since PHP 5.2.0, there is an option called allow_url_include. When set to false, this will cause PHP to throw an error whenever a file is being included that is an URL. Most people will want to have this setting set to false.

Additionally, there's sanitizing your input. There's a variety of ways to do it, indeed like using regex, but you could also look at the filter extension. Just be sure to be strict enough, you wouldn't want to allow someone to sneak in a ../../ and having a peek a level or two higher in the file hierarchy.

The safest, but sometimes also a very impractical, way to security file access would be to use a whitelist of the exact files that would be allowed to be included.