Does Php Include Work? not for me aparantly... ?

[anachro 0]

So I joined this hosting because of the promoted "no limits" because ALOT of other servers don't allow the use of the PHP fnction include, which is something I'm DEARLY FOND OF; when I posted my pages on my newly hosted site (bselvar.trap17.com) I find that my includes for a ?page= style simple navigation doesn't work. Doesn't that mean there ARE restrictions? and is there a way to enable this?

[sonesay 7]

I'm not sure how you are using it, can you post some code that has the includes where its failing? I've noticed one thing about includes, it dosent seem to work unless its put into the 'includes' folder. I think theres a setting in php that tells it what folders can be included althought I'm not 100% certain on this. I do now php includes work for me and I have the php include files in a 'includes' folder in my root html folder. I also include my db.php in the root also and it works.edit: I've also had this other problem when working under XAMPP, I'm not sure what is causing it but lets say I have certain files stored down a few levels of folder 'root/includes/forms/modify_char.php' for example. I just store it there for the sake of trying to keep things tidy because I end up with so many *.php files doing small ajax outputs.When I try and include the 'db.php' in 'modify_char.php' with

include('.../db.php');

it dosent work I'm not sure why this is. So eventually I copy db.php to 'includes' folder and try

include('../db.php');

Now this works. I'm not sure why this is, maybe there is a limit of how many number of level folders you can include to?

Edited January 11, 2008 by sonesay (see edit history)

[anachro 0]

here's the script I've hand-typed and have been using for a year or so now, EXACTLY how I have it on my site (copyright BTW)

<?php// This php script has been written and designed by Brandon Selvar - http://www.bcsproductions.co.nr/// This code must remain intact in this include for legal useif($page=="") { $page=""; }  $complete="".$page.".php";if(file_exists($complete)) { include($complete); }elseif($page=="") include ("welcome.php");else { include ("404.php"); } ?>

I don't get an error, it just doesn't happen. I went into the control panel and it says that the include function for local and master are set to OFF, which is disapointing, but url_fopen is on and working just find :?

*EDIT*
I should note that the welcome.php page include works, but the ?page= include do not. and this script works on all servers with Inlcude turned on
Edited January 11, 2008 by anachro (see edit history)

[sonesay 7]

<?php// This php script has been written and designed by Brandon Selvar - http://www.bcsproductions.co.nr/// This code must remain intact in this include for legal useif($page=="") { $page=""; }  $complete="".$page.".php";if(file_exists($complete)) { include($complete); }elseif($page=="") include ("welcome.php");else { include ("404.php"); } ?>

Your code your gave. I'm assuming thats only a small piece of it. are you assigning $page = $_GET['page'];? because if you havent thats probably why its not working.

[anachro 0]

yes, thats the whole code, it's always worked for me. but I guess I don't know everything about security and functionality with my limited learning time between work, community, friends, and schooling. you think I should re-work the coding to be:

<?php// This php script has been written and designed by Brandon Selvar - bselvar.trap17.com// This code must remain intact in this include for legal useif($page=="") { $page= $_GET['page']; } $complete="".$page.".php";if(file_exists($complete)) { include($complete); }elseif($page=="") include ("welcome.php");else { include ("404.php"); } ?>

I'll try this now ;D

 

EDIT

HA! SUCCESS! That does work! thanks for helping me improve my script! I've actually thought about the using $_GET, but since it ALWAYS worked I thought it unnecessary.

Edited January 11, 2008 by anachro (see edit history)

[sonesay 7]

just add to the start before you use it

$page = $_GET['page'];

That way its already asigned and you wont need to change any code. Or you could go to everyline and change $page to $_GET['page'] which I think is too much hassle.

Edited January 11, 2008 by sonesay (see edit history)

[anachro 0]

yeah I just simply re-wrote it to:

<?php// This php script has been written and designed by Brandon Selvar - bselvar.trap17.com// This code must remain intact in this include for legal useif($page=="") { $page= $_GET['page']; } $complete="".$page.".php";if(file_exists($complete)) { include($complete); }elseif($page=="") include ("welcome.php");else { include ("404.php"); } ?>

thank you!!

[shadowx 0]

Ah this age old problem.... There should be a sticky about this methinks...

For the record the reason you have to assign the variable like that is because of a setting in the PHP.ini files on T17 servers and the reason it is like that is for security. Because if, for example, you had a variable called $level that controls what the user can see, either normal, or aadmin options. With the normal set up all a hacker has to do is type &level=admin into the URL and they are an admin but with the T17 setup this wouldnt work and so is more secure.

For more info see: http://forums.xisto.com/no_longer_exists/

And if you want to turn this option off on your local server so that you dont accidentally forget the set up is different go into your PHP folder on your installation and locate the php.ini file and change the line "register_globals" from ON to OFF

[anachro 0]

ah, I see, is there anyway to do this in a code alone? for security? like alternating a value or something? because if I make a CMS script I want it to be as secure as possible, not some lofty open ended hacker "HIT HERE!" sign ;D

[shadowx 0]

I dont think there is but im probably wrong. Most hosting companies will have this set to OFF by default for their own security as well as yours. you can easily check by making a PHPINFO(); command within an otherwise empty PHP page and looking through the output. If it is set to ON Then i would recommend emailing the hosting company and asking for it to be changed to OFF. Even better would be to email their support before registering just to make sure.there could be a way to use PHP code to do change the values but i dont know of it and i suspect it doesnt exist as in itself it would be a security flaw, allowing a hacker to change a lot of settings and give him/herself an easier time inside.

[jlhaslip 4]

Just a reminder that PHP6, soon to be released, will not allow Register Globals at all, whatsoever, so you are better to learn to code without using Register Globals = on.

 

Also, with resect to the single dot and double dot method of addressing a file:

 

This syntax is a left-over from the days of DOS Operating System where a single dot meant "this directory" and the double dot meant "file's Parent Directory", so good programming practice would use the single dot syntax for a file in the Current directory ( include './filename.ext' ) and double dot syntax for the Parent directory ( include '../filename.ext' ) You can travel to several levels of Parent Directories by adding sets of double dots, too. ( include '../../../../filename.ext' ) would go back 4 levels.

Similarly, a slash without the dots is used to indicate the path to the file starts at the Server Root. ( include '/filename.ext' )

 

http://forums.xisto.com/no_longer_exists/

[sonesay 7]

Thank you for pointing that out. I was confusd and always thought that ".../" meants two levels up. I will try this soon once I get back to working on my PHP project.

[BuffaloHelp 24]

It is also a good coding method to practice isolation between Global Variable and Local Variable.

[anachro 0]

This syntax is a left-over from the days of DOS Operating System where a single dot meant "this directory" and the double dot meant "file's Parent Directory", so good programming practice would use the single dot syntax for a file in the Current directory ( include './filename.ext' ) and double dot syntax for the Parent directory ( include '../filename.ext' ) You can travel to several levels of Parent Directories by adding sets of double dots, too. ( include '../../../../filename.ext' ) would go back 4 levels.

Similarly, a slash without the dots is used to indicate the path to the file starts at the Server Root. ( include '/filename.ext' )

I had no idea! so the basic concept is if the file is in the same directory of the operating page, jsut put ./filename.ext, but say its in root/file/ and your operational page is in root/file/file/ using ../filename.ext would allow it to work, correct?

[truefusion 3]

This syntax is a left-over from the days of DOS Operating System where a single dot meant "this directory" and the double dot meant "file's Parent Directory"

Actually, Unix uses this too. And Unix is a lot older than DOS. Unix, last i checked, came out in 1969.

 

But to add to your other statement: When you include the root directory by including a forward slash in the beginning of the file path, this does not neccesarily mean your "public_html" folder. It means the root of the system itself; assuming the system is a Unix-based system; other systems may be different.

 

... but say its in root/file/ and your operational page is in root/file/file/ using ../filename.ext would allow it to work, correct?

Assuming i understood you correctly: Yes, that would work. But it is a security flaw if you allow ../ in _GET variables without verifying the extension.