I am currently working on my database to keep my customer's name,birthday,email. In order to send email two weeks prior to customer's birthday.
I have followed "Derek Banas" youtube tutorial but when I tried to access to my code there were several errors.
http://i.imgur.com/djGeBd0.png
I realized there were path error when I use this code
require_once('http://grillontherock.x10host.com/CustomerInfo/mysqli_connect.php');
I put my files in the necessary location(I think)
http://i.imgur.com/TdQIEk3.png
Some guy told me to use x10host but I really do not know main purpose of this hosting website.
Thanks for any help you can provide :)
Assuming that require_once is used in one of the other files shown in that second picture, you shouldn't use the whole URL like that. require_once takes a file path, and a path relative to the file doing the requiring will work. Since the file your including is in the same directory, you should be able to just use
require_once 'mysqli_connect.php';
First, I strongly recommended against including remote PHP files in your code. You don't have control over the contents which could change without warning. This is especially dangerous when databases are involved.
I recommended getting the PHP source of that mysqli_connect.php file, adding it to your project, and then requiring it from there.
On a related note, you would need to set allow_url_include to true in your php.ini file per the documentation in order to successfully require remote scripts by URL. But again, please do not do this.
Related
hello i am implementing php files from one website into another and here is the following error message i am getting when trying to open the following page with implemented php files:
http://www.holidaysavers.ca/europe-destinations-canada.php
basically the php files i am importing from one website into another are identical , however they work on the original website but when i implement them into a new website it does not work anymore.
could you assist me in trying to get this resolved?
thank you
You can't include a PHP script that is on an external website/server into your local script - unless you enable allow_url_include on your php.ini (if you have access to it)
Instead, you can let that website/server render the page and get the resulting html output on your local script.
Replace this line in your script:
include('http://www.holidaysavers.ca/europe-canada.php?detour');
With this:
echo file_get_contents('http://www.holidaysavers.ca/europe-canada.php?detour');
Could you post the code from "europe-destinations-canada.php"? It looks like the script is asking to do stuff that's not configured in your php setup on this new site/server
I don't really know what kind of host you are using or if you are using Xampp, I do have an easy fix to it, for xampp and possibly other web server software. Go to your php.ini file, which you can search for or just look for it in c:\\xampp\php\php.ini, the php.ini should be in the php folder in the server software folder. Now search for allow_url_include in the php.ini file and than replace Off with On, if it isn't already on or something. This is most likely the fix because it worked for me.
I might be able to help further if I know if you are using a hosting or home server. If you are using a hosting website than please share what kind of hosting service you are using so I could inspect it further.
Using as example a random remote php file.
The goal is to use this remote file locally, make sure it hasn't change or be altered. The remote file will be downloaded one time only.
Hard coding the sha256 signature avoid to use the network on startup. This is just a base that can be turned to many scenarios, like checking for updates, depending your needs.
<?php
$lib_url = "https://raw.githubusercontent.com/getopt-php/getopt-php/master/src/CommandInterface.php";
$lib_filename = basename($lib_url);
// SHA256 signature
$lib_signature = hash_file("sha256",$lib_url); // "dba0b3fe70b52adbb8376be6a256d2cc371b2fe49ef35f0c6e15cd6d60c319dd"
// Hardcode the signature to avoid a network call on startup:
//$lib_signature = "dba0b3fe70b52adbb8376be6a256d2cc371b2fe49ef35f0c6e15cd6d60c319dd";
if (!is_file($lib_filename) || $lib_signature != hash_file("sha256",$lib_filename)){
// No local copy found, or file signature invalid, get a copy
copy($lib_url, $lib_filename);
}
require $lib_filename;
It is very useful if you intent to share a program as a single file, without composer.
For the case of a file hosted on Github, an ETag HTTP header is provided, it can be used to avoid to download the whole file.
php -r 'var_dump(json_decode(get_headers("https://raw.githubusercontent.com/getopt-php/getopt-php/master/src/CommandInterface.php", 1)["ETag"]));'
//string(64) "c0153dbd04652cc11cddb0876c5abcc9950cac7378960223cbbe6cf4833a0d6b"
The ETag HTTP response header is an identifier for a specific version
of a resource. It lets caches be more efficient and save bandwidth, as
a web server does not need to resend a full response if the content
has not changed.
Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/content/91/8151691/html/HolidaySavers.ca/europe-destinations-canada.php on line 52
says it all. I believe this is called XXS. It appears you're attempting to include a URL based file which is denied in your server configuration which is either one of two things.
You're attempting to include the file on site B from site A which you would then use instead of include('WhateverFile'); file_get_contents('WhateverFile'); however this will only return the client side data as it is an HTTP request;
You've duplicated the file on site B and forgot to update the domain configuration. Be sure that the include path reflects the site you're running the script on ie.
include(dir($_SERVER['SCRIPT_FILENAME']) . DIRECTORY_SEPARATOR . 'WhateverFile.php');
In any case. I would have to actually examine the line 52 on the said file to see why PHP is complaining to you in detail lol
(Please be patient, this does have something to do with include.) I am waiting for a domain to transfer over and am trying to set it up on the new hosting service ahead of time. I realized that on the old site all the path names were absolute, so all my links on the new host point to pages on the old host. I decided to make them all relative (for future possible moves also). I first did it like this:
index.php
include ('./header.php');
header.php
include "./panel.php";
panel.php
Contents of panel.
This works, and my page displays:
Contents of panel.
Then I decided to set a variable for the domain because I want to include this header file from files in subdirectories and I can use the domain variable to make an absolute path. Right now I have a temporary domain name, which I can change later to the real domain name when the transfer comes through. So I changed header.php to:
$domain="http://tempdomain.com"; //I can change this after the transfer
$panel=$domain."/panel.php";
echo $panel;
if ((include $panel) !== 1)
{
echo "<br>include failed";
}
What I get is:
http://tempdomain.com/panel.php
include failed
I've looked at various sites for include syntax, but I can't find any error in my code. All these files are in the / directory. Any ideas?
When you include, you have to give the directory structured, not the url.
Your hosting server path may be home/public/www/htdocs/your_directory_name/panel.php something like this. Then it will work.
remort include is also posiible
if
1. server's php.ini should allow it.
2. the file which will be included should not be preprossed before include. That means it must return unprocessed code :)
First, the allow_url_fopen flag must be set in php.ini. Otherwise remote include() cannot be done. Run var_dump(ini_get("allow_url_fopen")); to see if it is the case.
Second, "Windows versions of PHP prior to PHP 4.3.0 do not support access of remote files via this function, even if allow_url_fopen is enabled." - see PHP docs
Third, your remote PHP script must produce valid PHP code as output. If you include() via http, then not the script itself, but its output will be included.
I need to connect to a mysql database using PHP. I am storing my login, user, password, and other info in a separate php file (let's say "mysql_connect.php") and then accessing it via require_once (mysql_connect.php) in a different file.
I have done a bit of googling and I know that I am supposed to keep "mysql_connect.php" out of the web root. I have moved it outside of the html folder and tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that. Upon googling that, the internet says that its because it can't locate the file i'm referencing. When I move mysql_connect.php into a folder below root, everything works fine. The issue is because it is moved outside of the web root (i think).
I have been googling for two days now and cannot find a detailed explanation on how to get this to work. Something about changing the .htaccess file? I've read a bunch of articles on the theory but I am really looking for a step-by-step tutorial (I am a beginner). The only step-by-step tutorials I can find just tell you to put the config.php file into the same folder which is not secure.
Also in reading, it says that putting mysql_connect.php above root might not be THE most secure way to store the information as it is still basically just a .txt file and it can be retrieved easily(like downloading it). I am looking for a balance between secure and also do-able (for a beginner like myself). The mysql database I am trying to protect will not have any personal information and I plan on using a dedicated server (with no other information on it).
Can any one help me to solve this issue?
it gives me an error "function not found" or something like that.
This.
Is your main problem.
You either didn't bother to read this error message yourself nor didn't bring it here to help us to help you.
While
there is no problem in having this file below document_root,
and there is no problem in having this file above document root either,
the only problem you have is to assign a correct filename.
And the error message you got could help you more than 1000 volunteers from this site.
Despite of that, you can use PHP predefined variable to make this path work from whatever part of your site. Aassuming the file is one level above the document root, the code would be
require($_SERVER['DOCUMENT_ROOT']."/../mysql_connect.php");
however, this one may produce an error too, as nobody knows a real file locations. Thus, you may read the error message and corect the paths. Or post it here and get an interpretation
You can store the database information inside your web server configuration.
If you run Apache you can use SetEnv inside the VirtualHost. Since you're still on a shared host, your server admin probably need to help you with this. You can read more about this approach here.
... tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that.
Include the connection details with:
require_once("../../mysql_connect.php");
This assumes that the file mysql_connect.php is two levels up from the currently executing script.
The database connection details will always be able to be read by whomever has administrative access to the server. It is not feasible to encrypt the file, because you would still need to store whatever key or password needed to decrypt it on the server as well, which would still not hide it from the server administrators.
Besides moving out of the web-root (which is a good step forward) an approach I've seen used is:
// at the top of your index or bootstrap file
define('SECURED', true);
And:
// at the top of any file subsequently included, such as mysql_connect.php
if(!defined('SECURED'))
{
exit();
}
This will at least prevent the file(s) from being accessed (executed) directly. This is helpful is the to-be-included files would otherwise issue a warning or error, that could potentially dump sensitive data as output.
If you're in a shared hosting environment you won't be allowed access outside of document root (most likely). You will need the password therefore it won't be completely secure. Instead, you can look into creating seperate mysql users with priviledges and limiting connections to to local accesses only.
i know i'm new, but something as simple as form for your login should be checked in order for it to work.
<form action="insertphpfilepath.php" method="POST">
and then in "insertphpfilepath.php", would have the mysql_query to check the login and password, not forgetting the mysql_query for connecting to the database and table using the right username and password .
a newbie recommendation to you for use mysql_real_escape_string for any $_POST['login'] so that it would become $login=mysql_real_escape_string($_POST['login']); for evading mysql injection.
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine.
My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.
Is this a legitimate concern?
If so how do people go about preventing this?
Not if your server is configured right. I think discussion on how that is done belongs on serverfault.
To add on to the other answers:
If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?
The most important advice is missing:
Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.
For example
root
- webroot
- includes
- config
Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).
Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.
This depends on the file extension you have given the include file.
If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.
If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.
A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.
Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.
Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:
Order allow,deny
Deny from all
This apparently protects the directory so that only local non web-access is possible.
This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.
Does anyone else use this method?
Just for good measure I've put the directory permissions to execute only.
And the include extension is PHP as suggested by others.
I'm working on a program right now that calls the script mail.php located in /var/www/vhosts/company/httpdocs. mail.php is trying to execute require_once dirname(__FILE__).'/../pear/Mail.php' to do an smtp send and the require_once is failing. My PEAR directory's located in /var/www/vhosts/company/pear. I then tried to add /var/www/vhosts/company/pear to the include_path but require_once is still failing.
I decided to take a step back and replace mail.php as a simple script that does file_exists(dirname(__FILE__).'/../pear/Mail.php') and prints the result to a logfile. When I run the script independently, it works fine and returns 1. When the flash program runs it, it's returning nothing. Printing out dirname(__FILE__).'/../pear/Mail.php' returns the same regardless if I run the script independently or if the flash file runs it. I've also tried chmod 777 on the Mail.php PEAR file but that didn't do anything.
Any ideas on what's going on?
I would bet anything it has to do with two things:
1) Flash/Actionscript normally does not access local file paths.
In other words, it probably isn't even executing the file.
As a compiled client-side module it needs an actual web-accessible URL. Part of the problem here is the design itself. Try it with an HTTP request within the actionscript and you will have better results. If you don't have access to the flash file.. well tough beans there.
Now if you are running a mail routine through actionscript? I would say that is a security risk. You are better off having the actionscript pass the routine to an AJAX receiver routine that checks session credentials and then sends mail.
2) CWDUP restrictions on the server.
Depending on certain server configurations, excecutables normally do not have access to filepaths outside their own root. (i.e. an executible cannot call ....\another directory\other file.) Some servers will allow this, but many wont.
You may want to make sure your PEAR directory is in your php.ini path variable. This way you don't need to use CWDUPs in your directory name at all, it will find it in the includes directory. (which is normally how pear modules work.)
So rather than using a buncha dot-dots.. try working down from the top.
$mailpath=$_SERVER['DOCUMENT_ROOT'].'\include\mail.php';
As a last resort, you can try copying the mail.php routine into the same directory and see if that works. If that still fails, then its your include path to PEAR. (as the mail.php is probably calling PEAR functions.)