php url include questions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
joncampbell
Forum Newbie
Posts: 24
Joined: Fri Mar 11, 2005 12:57 pm
Location: Irvine, California, USA

php url include questions

Post by joncampbell »

I already know that alot of people think that url includes are very insecure, and they are, but I am using scripts that require them, so I am kinda stuck with them for the mean time.

My question is that I have 1 script, example. main.php , and this script is including another file, example include.php .

This is included as follows:

Code: Select all

main.php

<?php
include ('http://www.example.com/include.php?somevar=1');
?>

include.php

<?php
echo basename($_SERVER['SCRIPT_NAME']);
?>

Why is it that the include.php always shows "include.php", and never "main.php". How can I tell what script is including another from a script that is included via a url, it this possible, have you run into this problem, how did you correct it.

Any help is appreciated, Thank you
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Without telling the remote script, it has no clue.
joncampbell
Forum Newbie
Posts: 24
Joined: Fri Mar 11, 2005 12:57 pm
Location: Irvine, California, USA

Post by joncampbell »

isn't that suppose to be one of the benefits of using include instead of just using fopen()? I would assume that this is something that other people would wan't, if I use include with a local path the $_SERVER['SCRIPT_NAME'] would show the original filename, not the included one, thats why they created the magic constant __FILE__.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Good point raised here. When you include a script into another script, the script takes on the scope of the calling script (at least from the scope where you call include). Same scope means it will act as if it is part of the script.

About the magic constants:
http://www.php.net/include wrote:So, it will follow the variable scope of that function. An exception to this rule are magic constants which are evaluated by the parser before the include occurs.
EDIT| Nevermind. I totally misread your original post.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
mrkite
Forum Contributor
Posts: 104
Joined: Tue Sep 11, 2007 4:19 am

Post by mrkite »

joncampbell wrote:isn't that suppose to be one of the benefits of using include instead of just using fopen()?
Yes.. if you included a file on the same server. When you include a URL, the script goes to that URL and fetches its contents. The remote PHP executes the script no different than if you had gone to that url in a browser.

This is actually what causes problems.

If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.
User avatar
playgames
Forum Newbie
Posts: 22
Joined: Tue Sep 04, 2007 4:28 am

Post by playgames »

included only be on the same site.

a romote file.maybe file_get_contents();
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

mrkite wrote:If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.
Not without eval().
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

superdezign wrote:
mrkite wrote:If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.
Not without eval().
include() doesn't need eval(). ;)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Really? That's interesting. ^_^
joncampbell
Forum Newbie
Posts: 24
Joined: Fri Mar 11, 2005 12:57 pm
Location: Irvine, California, USA

Post by joncampbell »

The main purpose of this is that I would like the files to be able to function on their own, if I was to change the filename of one of the 2 included files to something.txt then I wouldn't be able to execute it as php on the local server.

I hope php 6 has addressed this issue, I can't image that I am the only person that is trying to take advantage of this type of setup, I personally think that this is a bug, but I am assuming that the php development community would disagree. I think that the predefined variable $_SERVER['SCRIPT_NAME'] should work across url included includes, if it doesn't there is no benefit to using url includes over standard fopen() requests, in truth it is better to use fopen() as you can pass it directly to a variable.

I am having session management issues with the standard fopen() requests, so I hoped that the url include method would resolve these issues, but sadly enough I haven't had any luck.

I appreciate any input, as I hope to have this problem remedied as soon as possible, so I can get back to coding.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

joncampbell wrote:if it doesn't there is no benefit to using url includes over standard fopen() requests, in truth it is better to use fopen() as you can pass it directly to a variable.
Correct. The PHP developers don't encourage remote includes. It forces your server to make more requests than necessary, and it opens you to security risks that could be easily avoided by using your own server. I guess the real question is why you can't just have these files on the local server...?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

joncampbell wrote:but I am assuming that the php development community would disagree.
I guess you're right. What you're proposing would be inconsistent (and impossible).
I think you're not aware that http://www.example.com doesn't send the source code of include.php but the output of the script's execution (if that server is configured to run php scripts)
joncampbell
Forum Newbie
Posts: 24
Joined: Fri Mar 11, 2005 12:57 pm
Location: Irvine, California, USA

Post by joncampbell »

I know that with the url include function that the source is not sent, but the PHP session management still functions for the included files, just like the auto addition of the PHPSESSID to all forms and GET requests, if you use a url include they could pass a GET or POST variable to signafy that it is a url include and not a basic fopen(). What I guess I will have to do is go to another language, ajax offers the capability I am looking for here, I guess that php just doesn't have the support, sadly enough I have asked 2 times also, and no one here has listed an alternative approach to what I am trying to do other than the obvious super bulky monster class php file approach that the industry is trying to move away from.

I do appriciate the feedback that was givin, I was hoping for an alternate approach, or that I was missing something obvious :(

Thank you again,
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You'll simply need to send it's source code based on IP address ranges or something similar. As long as it contains no sensitive data you're perfectly fine doing this, but if the code is altered you could be in a world of hurt.

It's probably better to store the file locally anyways as the time delay will make the page performance horrendous for a user experience. Even having a scheduled download of the file (that doesn't need user interaction) could work.
Post Reply