Page 1 of 1

Help? Assign include to a variable

Posted: Mon Apr 07, 2008 3:21 am
by calfellows
Hello,

Trying to assign an include to a variable. The include is a script,
not html, and so the include will also need to be processed. :crazy:
I'm on the right track??? but I don't understand this one.. Anyone?????

Code: Select all

 
<?php 
 
/* EDIT: THIS IS NEWLY RESOLVED SCRIPT */
 
ob_start();
include 'file.php';
$content = ob_get_clean();
 
 
# Echo the Parameters
     echo Fill_data($content); 
# function looks above/below in same document, and also looks in buffer
    function Fill_data($content) 
{ 
    return 
    '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\n". 
    ' "http://www.w3.org/TR/html4/strict.dtd">'."\n\n". 
    '<html lang="en">'."\n". 
    '<head>'."\n". 
    "</head>\n\n". 
    "<body>\n". 
 
    "<dir>{$content}</div>\n".
    
    "</body>\n". 
    "</html>"; 
} 
?>
 

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 7:49 am
by lafever
Are you just trying to include a file in your page? Why don't you just do this if you are.

Code: Select all

 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
</head>
<body>
 
<dir><?php
    if (isset($_GET['content'])) {
        $pgcontent = $_GET['content']; }
    else { $pgcontent = 'content.php'; }
    include ($sourcedir . $pgcontent);
?>
</div>
 
</body>
</html>
 
 

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 9:48 am
by onion2k
Stop and think about the security implications of your script. What if someone changed the $_GET['content'] to "../../path/to/passwd"?

Never let people include any file they want to.

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 10:15 am
by Jonah Bron
If you want the contents of a file in a variable, use file_get_contents(string $file), or file(string $file) Onion2k is right. Google up on security issues in PHP.

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 10:34 am
by calfellows
Hello,

Need to keep the php above the html, only
variables in the html, as the html is always changing,
via includes for different "themes".

re security; Nobody can "$_GET" any file they want due to the
server root prefixed in all of my includes.
include ('var/www/vhosts/sirpub.hidden.com/httpdocs/static/...')
is on all of my includes, which locks you to one single
folder.


// $content = file_get_contents($filename); //
is not allowing me to include a script, returns content as
simple text or html. I want to grab an entire "include('filename')"
by calling "$content". It keeps returning either the content as
text or returning the damn file name, but not the script.

Do any of you guys understand this?
http://www.scrivna.com/blog/2008/02/27/ ... -variable/
or this:
http://www.ejeliot.com/blog/83

Please and Thanks,
Cal

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 10:41 am
by onion2k
calfellows wrote:include ('var/www/vhosts/sirpub.hidden.com/httpdocs/static/...') is on all of my includes, which locks you to one single folder.
If $_GET['file'] was "../../../../../../etc/passwd" I'd have your passwd file. Even if you've sandbox'd PHP to only be allowed access to stuff above the web root (httpdocs) I could do "../index.php" and grab the source of your index file. That would tell me the name of any include files you're using. Then I could do "../includes/constants.inc.php" and grab your database connection details ... that would bag me all your user's details ...

Do you see the problem?

EDIT: Actually, it wouldn't give me the source if you're using include(), it would run the script a second time. That could still be pretty dodgy and might give up other useful information for a hack on your server. Needlesstosay, including things set in $_GET is a bad idea.

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 11:17 am
by calfellows
onion,

To eliminate all $_GET queries from the http address bar, this would mean that
I would need independent urls for every page in the site, with no static
page really necessary, no front controller script (index.php?content=pg.php).
Is this common? I'm not using a dbase at this time.

Look at my original post, this is exactly what I'm trying to do.
1. include the html below all content using function to fill/format it.
2. eliminate $_GET if I can figure how to do an include by calling "$content".

Thanks in Advance,
Cal

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 11:35 am
by onion2k
You can secure a front controller quite easily. Something like...

Code: Select all

switch ($_GET['file']) {
  case "company": include("company.php"); break;
  case "about": include("about.php"); break;
  case "products": include("products.php"); break;
  case "wombles": include("wombles.php"); break;
  default: include("index.php"); break;
}
 
Obviously that's a pretty trivial example, but it demonstrates the obvious point about front controllers - you should never include a file that the user has specified unless you want to let them. Only ever include something that you want the user to be able to see. Generally that means maintaining a whitelist.

Re: Help? Assign include to a variable

Posted: Mon Apr 07, 2008 11:50 am
by calfellows
Was using two $_GET queries, one for title and
one for content. I am now moving the titles to
the content includes and using (php function) to
sort it all out. This is why you are seeing the
html below the php.

Cal

run this

Code: Select all

 
<?php 
 
/* CONTENT PAGE (pulls/fills template below) */
/* Non Front Sript Mode */
/* No Query or Ugly Urls: Echo template below content */
/* included file need to return, not echo */
 
# ALL PARAMETERS HERE 
$template = "2"; /* template number */
$title = "Main Page: hidden.com"; 
$columns = "1"; /* 1,2,or3 */
$content = "my content"; /* content */
 
// TEMPLATE TO BE FILLED // 
include_once($sourcedir . 'noquery'.$template.'_template.php');
 
?>
 
 
 
with this content include

Code: Select all

 
<?php 
 
/* TEMPLATE PAGE: CONTENT PAGES PULL THIS IN */
 
# Echo the Parameters
     echo Fill_data($title, $columns, $content); 
# function looks above/below in same document, also looks in buffer (see first post)
    function Fill_data($title, $columns, $content) 
{ 
    return 
    '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"'."\n". 
    ' "http://www.w3.org/TR/html4/strict.dtd">'."\n\n". 
    '<html lang="en">'."\n". 
    '<head>'."\n". 
 
'<link rel="stylesheet" type="text/css" href="css'.$columns.'.css" /> '."\n".
 
    "<title>{$title}</title>\n". 
    "</head>\n\n". 
    "<body>\n". 
    $content. 
 
 
    "</body>\n". 
    "</html>"; 
} 
?>
 
and you'll see this:

Code: Select all

 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
 "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<link rel="stylesheet" type="text/css" href="css1.css" /> 
<title>Main Page: hidden.com</title>
</head>
<body>
my content</body>
</html> 
 
Leaves me back to title of this post.
Need $content to do an entire include.
Cal

Re: Help? Assign include to a variable

Posted: Tue Apr 08, 2008 8:45 am
by calfellows
Hello,
For the record, this was resolved on
programmingtalk dot com like this:

Code: Select all

 
// This loads include into memory buffer for later display // 
ob_start();
include 'file.php';
$content = ob_get_clean();
 
// Later display 
echo $content; // display the parsed output of file.php
 
ob_start() is a function which collects all output to
the browser starting from when it's called, until
ob_get_clean() is called, which in this case, sends
all the output to a variable. So what this is doing is
collecting output to the browser from the include()/require(),
stopping it in it's tracks, (loads into a buffer), and putting it
into a variable, which you can output/modify later.


Cal