Page 1 of 1

php url include questions

Posted: Sun Sep 16, 2007 12:48 am
by joncampbell
I already know that alot of people think that url includes are very insecure, and they are, but I am using scripts that require them, so I am kinda stuck with them for the mean time.

My question is that I have 1 script, example. main.php , and this script is including another file, example include.php .

This is included as follows:

Code: Select all

main.php

<?php
include ('http://www.example.com/include.php?somevar=1');
?>

include.php

<?php
echo basename($_SERVER['SCRIPT_NAME']);
?>

Why is it that the include.php always shows "include.php", and never "main.php". How can I tell what script is including another from a script that is included via a url, it this possible, have you run into this problem, how did you correct it.

Any help is appreciated, Thank you

Posted: Sun Sep 16, 2007 12:55 am
by feyd
Without telling the remote script, it has no clue.

Posted: Sun Sep 16, 2007 1:32 am
by joncampbell
isn't that suppose to be one of the benefits of using include instead of just using fopen()? I would assume that this is something that other people would wan't, if I use include with a local path the $_SERVER['SCRIPT_NAME'] would show the original filename, not the included one, thats why they created the magic constant __FILE__.

Posted: Sun Sep 16, 2007 1:49 am
by s.dot
Good point raised here. When you include a script into another script, the script takes on the scope of the calling script (at least from the scope where you call include). Same scope means it will act as if it is part of the script.

About the magic constants:
http://www.php.net/include wrote:So, it will follow the variable scope of that function. An exception to this rule are magic constants which are evaluated by the parser before the include occurs.
EDIT| Nevermind. I totally misread your original post.

Posted: Sun Sep 16, 2007 4:38 am
by mrkite
joncampbell wrote:isn't that suppose to be one of the benefits of using include instead of just using fopen()?
Yes.. if you included a file on the same server. When you include a URL, the script goes to that URL and fetches its contents. The remote PHP executes the script no different than if you had gone to that url in a browser.

This is actually what causes problems.

If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.

Posted: Sun Sep 16, 2007 6:59 am
by playgames
included only be on the same site.

a romote file.maybe file_get_contents();

Posted: Sun Sep 16, 2007 8:05 am
by superdezign
mrkite wrote:If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.
Not without eval().

Posted: Sun Sep 16, 2007 8:41 am
by feyd
superdezign wrote:
mrkite wrote:If you took include.php and called it include.txt so that when fetched from the server it was returned with all the php code unparsed, then main.php would execute that php code locally.
Not without eval().
include() doesn't need eval(). ;)

Posted: Sun Sep 16, 2007 8:45 am
by superdezign
Really? That's interesting. ^_^

Posted: Mon Sep 17, 2007 2:11 am
by joncampbell
The main purpose of this is that I would like the files to be able to function on their own, if I was to change the filename of one of the 2 included files to something.txt then I wouldn't be able to execute it as php on the local server.

I hope php 6 has addressed this issue, I can't image that I am the only person that is trying to take advantage of this type of setup, I personally think that this is a bug, but I am assuming that the php development community would disagree. I think that the predefined variable $_SERVER['SCRIPT_NAME'] should work across url included includes, if it doesn't there is no benefit to using url includes over standard fopen() requests, in truth it is better to use fopen() as you can pass it directly to a variable.

I am having session management issues with the standard fopen() requests, so I hoped that the url include method would resolve these issues, but sadly enough I haven't had any luck.

I appreciate any input, as I hope to have this problem remedied as soon as possible, so I can get back to coding.

Posted: Mon Sep 17, 2007 6:33 am
by superdezign
joncampbell wrote:if it doesn't there is no benefit to using url includes over standard fopen() requests, in truth it is better to use fopen() as you can pass it directly to a variable.
Correct. The PHP developers don't encourage remote includes. It forces your server to make more requests than necessary, and it opens you to security risks that could be easily avoided by using your own server. I guess the real question is why you can't just have these files on the local server...?

Posted: Mon Sep 17, 2007 6:41 am
by volka
joncampbell wrote:but I am assuming that the php development community would disagree.
I guess you're right. What you're proposing would be inconsistent (and impossible).
I think you're not aware that http://www.example.com doesn't send the source code of include.php but the output of the script's execution (if that server is configured to run php scripts)

Posted: Mon Sep 17, 2007 11:17 am
by joncampbell
I know that with the url include function that the source is not sent, but the PHP session management still functions for the included files, just like the auto addition of the PHPSESSID to all forms and GET requests, if you use a url include they could pass a GET or POST variable to signafy that it is a url include and not a basic fopen(). What I guess I will have to do is go to another language, ajax offers the capability I am looking for here, I guess that php just doesn't have the support, sadly enough I have asked 2 times also, and no one here has listed an alternative approach to what I am trying to do other than the obvious super bulky monster class php file approach that the industry is trying to move away from.

I do appriciate the feedback that was givin, I was hoping for an alternate approach, or that I was missing something obvious :(

Thank you again,

Posted: Mon Sep 17, 2007 1:57 pm
by feyd
You'll simply need to send it's source code based on IP address ranges or something similar. As long as it contains no sensitive data you're perfectly fine doing this, but if the code is altered you could be in a world of hurt.

It's probably better to store the file locally anyways as the time delay will make the page performance horrendous for a user experience. Even having a scheduled download of the file (that doesn't need user interaction) could work.