Page 1 of 1

include dynamicly

Posted: Mon Jul 22, 2002 6:30 pm
by peppelorum
trying to include a file dynamicly, but doesnt work.

Code: Select all

$file = $_GETї'file'];

if ($file) include($file);
and the message I gets is:
"Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in C:\Inetpub\wwwroot\svartfolk-php\eforum.php on line 11"

the file I'm trying to include is in the same folder as the script and contains some php..

Posted: Mon Jul 22, 2002 7:22 pm
by volka
what is the connection between the include and your mysql-connection?

Posted: Tue Jul 23, 2002 1:56 am
by twigletmac
What's on lines 1-11 C:\Inetpub\wwwroot\svartfolk-php\eforum.php? In other words, what do the lines where the error (to do with your MySQL connection as volka pointed out) is occuring look like. We can't help you if you don't give us all the information.

Mac

Posted: Tue Jul 23, 2002 3:19 am
by peppelorum
ehm, forgot to include the file that opened the db, so that is fixed. but another question, is there anything you should think when it comes to dynamic includes, security issues etc?

Posted: Tue Jul 23, 2002 4:01 am
by twigletmac
Just make sure that you aren't going to be allowing people to open any file they like. Basically have something, a switch, if statement, entries in a database, whatever, that allows you to decide whether the content to be included should be allowed.

Mac

Posted: Tue Jul 23, 2002 4:33 am
by haagen
Isn't there a php-function that'll check the file path. So you can force the files to reside in (for example) /home/haagen.

So this would fail:

Code: Select all

$file="../../etc/passwd";
$path = "/home/haagen/";

if(php_check_func("$file$path"))
   include("$file$path");
/home/haagen/../../etc/passwd == /etc/passwd

I've seen this terrible code in real life :?

Posted: Tue Jul 23, 2002 11:54 am
by Galahad
I don't know if such a function exists, but it doesn't seem like it would be that hard to write yourself. The switch statement may be simpler, although less flexible.

Posted: Tue Jul 23, 2002 3:11 pm
by haagen
I made a quick look and found the function. And it wasn't as I remebered. It is realpath($path) and it extracts the path I mention above to /etc/passwd.

I good to have function 8) <- i like these