This question already has answers here:
Prevent direct access to a php include file
(33 answers)
Closed 7 years ago.
I am somehow a noobie in PHP and I want to learn. I am making a proyect, in which I use require('parts/header.php') statements to include functions and templates. My pages look like this:
<?php
include('core/checklogin.php');
//This will check if the user is logged in and can see this page or not
include('parts/top.php');
//This loads the <head> tags and the header, including the navbar
?>
<section id="mainArea">
<h1>Hello <?php echo getUserNickname()?></h1>
<p>Some stuff</p>
</section>
<?php
include('parts/bottom.php');
//This loads the <head> tags and the header, including the navbar
?>
The problem is if someone enters myproyect.com/parts/top.php he would see the top part, and that file is going to be executed. I don't want that. I was thinking doing some stuff in a .htaccess file like:
#.htaccess inside parts directory
dont_serve_anything_inside_this_directory_and_return_forbidden();
But I don't know how without affecting the server side code.
Another alternative is to use the equivalent of if __name__ == 'main': of python, and do like:
//parts/top.php
if(__name__ == 'main'){
header('Location: /index.php');
exit();
}
What could I do?
You need to create file .htaccess inside your so-called protected from the outside direct access folder and put the following content there:
Deny from all
This will prevent users from being able to access your files using http://example.com/parts/bottom.php
Just add .htacccess to parts folder.
Related
This question already has answers here:
PHP code is not being executed, but the code shows in the browser source code
(35 answers)
Closed 1 year ago.
Please bear with with me as I am new to web dev. I am attempting to use the include function in php to display a header on a web page.
I am using two very simple files, placed in the same directory and am using XAMPP.
index.php
<html>
<body>
<h1>Hello</h1>
<?php
include('header.php');
?>
</body>
</html>
header.php
<p>Hello</p>
When I open index.php, the statements from header.php never show up. All I see is one "Hello", as printed in index.php.
I have attempted to follow many tutorials online similar to this (ex https://www.w3schools.com/php/php_includes.asp, https://www.tutorialrepublic.com/php-tutorial/php-include-files.php), but none of them work for me.
Please let me know if you have any advice.
For security reasons you should use the following statements instead of include, unless you have a good reason to not do so:
Either
require_once 'header.php';
or
require 'header.php';
This will cause an E_ERROR in case the file was not found or you don't have permissions to include it. Otherwise you run into the risk not executing code which is mandatory for your program.
This question already has answers here:
When do I have to declare session_start();?
(2 answers)
Closed 9 years ago.
So I'm starting my own website and I have the login file pretty much made. I just need to figure out where to put the session_start to keep the user logged in. Where exactly do I put the session_start? Do I put it right in the login file? Or where do I put it?
Thanks for the help
Put it after your PHP start tag <?php ... like this
<?php
session_start();
//... your code....
//more code....
Read more on sessions from the PHP Manual. Here
Note : Also keep in mind, you need to call session_start(); on each and every page if you are making use of session variables.
Put it right after the start tag, or else headers will have been send, and the session, AFAIK, has to be the first header sent
<?php
session_start();
//session code here
?>
Right after <?php tag.
Be sure that there is NO output before this function (even a space symbol or so).
You want to put session_start(); at the top of your page before any other code. However, if you are using includes to make your life easier, it's best to put it at the very top of a file that is included in all files. For instance, when I make a website, I put all of my header code and footer code in separate files and include them in the other files. I also have a functions file that is included in every other page of the website. So for my index file, it may look something like this:
<?php include_once("includes/header.php"); ?>
<div id="content">
Website Content
</div>
<? include_once("includes/footer.php"); ?>
Then, my header file would start like:
<?php include_once("includes/functions.php"); ?>
<!doctype html>
<html>
<body>
Then at the top of my functions file:
<?php session_start();
[functions]
?>
In this way, the functions files' code gets ran first, therefore the session start code is the very first thing hit. Why? You cannot have any type of output to the browser before starting a session.
it's better to have a separate file other than your login to do some common stuffs.
i think your login file will be generally handling user verification and validation thing. so don't include that file on every page.
have one more file that
includes all required files
keeps all your analytic scripts
initializes global variables
and this file you can start with <?php session_start(); ?>
session_start() needs to go in every page/file that refers to $_SESSION (obviously the login page is included).
Because you should only be calling it once, I tend to write a lazy_session_start() method (and tend to put it in an include file):
/**
* Lazily calls session_start (to prevent warnings).
*/
function lazy_session_start() {
if (!isset($_SESSION) || !is_array($_SESSION)) {
session_start();
}
}
It could be called like so (before you need to use $_SESSION):
<?php
//you must either declare "lazy_session_start" function
//or import the file containing the function definition.
require_once('lazy_session_start.php'); //or something.
lazy_session_start();
//... you may now use the $_SESSION array.
This question already has answers here:
Include another HTML file in a HTML file
(41 answers)
Closed 8 years ago.
for example my website is "myweb.com". how can i do opration like following.
include(http://myweb.com/file);
this is an internal URL.
for example i want to include
http://myweb.com/process.php?action=update
this is not a file
"?action=update"
thus how can i do this operation?
To include pages with PHP, simply put the following code in a.html, where you would like the code to appear:
<?php
include "b.html";
?>
You can't include an HTML document into another HTML document.
You can do that using PHP but the file that includes the other must be a PHP document. In your example a includes b therefore a is a.php while b can stay b.html.
Then inside a.php you can write:
<?php echo file_get_contents('b.html'); ?>
and the content of b.html will be included into a.php.
This question already has answers here:
How to create a template in HTML?
(3 answers)
Closed 9 years ago.
I looked around, but couldn't find a satisfying answer.
Problem:
I have a menu bar that appears on the top of the page. I want it to show across all of the pages on the website. So how would someone do that without copying the same code each time. Would someone use html, php, css, or javascript/jQuery to accomplish this?
Note: I want to have a separate html file to access the information from.
From what I have seen, this is typically done with php using a template file.
The template file may have HTML code in it that you want to display on every page, as well as placeholders for content that is page specific. e.g: template.php
<html>
<head>
<title><?php print $title; ?></title>
</head>
<body>
<nav>Test</nav>
<?php print $content; ?>
</body>
</html>
In this case, as long as $title and $content variables are set, you can then do a include 'template.php'; to output this HTML code in other php files.
Read more about php's include.
It seems that you will need to use include, although an explaination on how to use it (or at least an example can be found here: https://www.youtube.com/watch?v=XmoF-6vshSI
I have two headers: one to display for a logged in user, and one to display when logged out/not a member. I also have a footer that should be duplicated on each page.I had the idea to use SSI to include the header and footer.
As of now, we haven't started much server-side processing, and thus don't keep track of logged in/logged out users. As such, for now, I just want to use the page that is including the header to determine which to display. I had the idea to use a PHP file as the header instead of an SHTML file, so I could do some processing to determine which header to show.
So is it possible to determine which page is calling the include with PHP?
Am I going about this all wrong? If so, what solution is more appropriate?
For example, each html page fits this general layout:
<html>
<header>
<!-- relevant header calls -->
<header>
<body>
<div id="body">
<!--#include virtual="header.php"-->
<!-- actual page content -->
</div>
<!--#include virtual="footer.shtml"-->
</body>
</html>
And in header.php I want something like:
<?php
if(/*page is a non-logged in page*/){
echo(/*logged out header*/);
} else {
echo(/*logged in header*/);
}
?>
So is it possible to determine which page is calling the include with PHP?
No idea. But if it is possible it will be via $_SERVER. Put this in your header.php for testing:
<?php
echo '<pre>';
print_r($_SERVER);
echo '</pre>';
However, if the page is being requested as *.html with Server-Side Includes I can't even begin to predict what kind of havoc this is going to play with PHP Sessions. I have doubts that session_start() will ever be able to set proper headers in this context, or if the PHP session cookie will ever be sent to the client or be passed through SSI back to PHP.
As far as I am aware/concerned SSI should only ever be used to include static content or dynamic content that does not rely on any sort of interaction with the user, including something as basic as if they're logged in or not. SSI is a kludge between static and dynamic pages and should be referred to as "kinda-sorta-dynamic-but-not-really".
Short answer: SSI is going to be a massive pain in the ass, ditch it and just use PHP include().
Edit: Your page would look something like this at the most basic level, and is not really any more complex than using SSI. If you took a more MVC-oriented approach [namely the C and V parts] it would become more manageable:
<?php
session_start();
// other initialization
?><html>
<head>
<!-- relevant header calls -->
<head>
<body>
<div id="body">
<?php
if($_SESSION['is_logged_in']){
echo(/*logged out header*/);
} else {
echo(/*logged in header*/);
}
?>
<!-- actual page content -->
</div>
<?php include("footer.php"); ?>
</body>
</html>
For the sake of ease in programming it's best to use one or the other. It's best to go with PHP exclusively because:
Massive support community at php.net
In most implementations it's faster than using the SSI because PHP is designed to do all of the processing and parsing of PHP code, whereas an SSI has to read your SHTML page (after it's written) and sift between comments and includes, then include all of the components.
If you're including PHP pages as SSIs you're making Apache wait on PHP, whereas if you were using PHP alone it would have already delivered the page.
You can do things with databases and a lot more with PHP.
PHP pages can't be accessed from the server without being processed, so there is less risk of someone exploiting your code vulnerabilities if you're using standard practices.
SSIs are plainly readable as code (and very limited).
You can include an SSI with PHP if you're running PHP as an Apache Module, using the function virtual(), but why would you want to? You can include() just about anything into PHP.
Example
I'm going to use an account management site as an example. To make the header dynamic you'll need to find the $var for the page calling it (I'm going to use $_SERVER['REQUEST_URI']). There are several reserved server variables in PHP that you can reference to make calls depending on circumstances. So let's say the authorized directory where all logged in pages go is called "auth" your common shell file might look like this:
<?php
//Check for the page the person is asking for
session_start();
$root = $_SERVER['DOCUMENT_ROOT'];
//Check for the "auth" directory
if(preg_match('!^/?auth!',$_SERVER['REQUEST_URI'])){
//Do some check to see if they've been authenticated... this one is not secure, but you get the idea
if($_SESSION['logged_in']){
//Require the correct header
require_once($root.'/includes/logged-in-header.php');
} else {
//They don't belong or they're not logged in, kick them back to the login page.
header("Location: /login.php?e=1");
die();
}
} else {
//It's not an authorization required page, so show the standard header.
require_once($root.'/includes/non-auth-header.php');
}
//let's find out the page that's loading the shell.
$pageName = preg_replace('!/([^/]+)$!',"$1",$_SERVER['SCRIPT_NAME']);
switch($pageName){
/*Auth pages*/
case "billing.php":
require_once($root.'/includes/billing.php');
break;
case "account.php":
require_once($root.'/includes/account.php');
break;
case "logout.php":
require_once($root.'/includes/logout.php');
break;
default:
//show the login page
require_once($root.'/includes/login.php');
}
require_once($root.'/../shell.php');
require_once($root.'/includes/footer.php');
?>
So if you were in the auth directory and you were not logged in, you would get the homepage. If you're in the auth directory on the billing.php page and you are logged in, the site would load the billing page.
The auth/billing.php code might look like this:
require_once("$_SERVER['DOCUMENT_ROOT'].'/../shell.php');
The include/billing.php code would contain all of workings of the page and it can be formatted in HTML, but you'd probably pull that stuff from a database.