I want to include a file with php inside of a function, but for it to be used outside of the function.
function add( $F ){
$i = 3;
while( $i > 0 ){
$i--;
try{
if( ( include $GLOBALS['_SERVER']['DOCUMENT_ROOT'] . $F ) == 2 ){
break;
}
else{
sleep( 1 );
}
}
catch( Exception $e ){ }
}
die();
}
This function is automatically included thanks to auto_prepend_file.
index.php
add( '/cat.php' );
echo 'my' . $cat;
/cat.php
$cat = 'cat';
echo '...';
return 2; //rather not exist but doesnt seem like there's a choice
When index.php is loaded: Results in my... not my...cat.
include returns 1 even if a file was included or not. Well, if Notepad++ is 50% finished uploading a file that at the same time was included, it will return 1 and it seems like it just includes a empty file. Which is why == 2 exists in add function.
If I want to include something, I don't want an answer like you got lucky or nope, better luck next time or saving was taking too long, enjoy nothing, or a bunch of code everywhere.
So is this even possible? Or is there a better alternative? Can I use include_guaranteed (sarcasm)? I know similar questions were made, but those answers were mainly alternatives to what the user was doing or "why" related.
Related
I make some function in php, but I am getting stuck
if (isset($_GET['page']) )
{
$open = __DIR__.'/../view/html/'.$_GET['page'].'.php';
if (file_exists($open)){
include $open; //<<<<can i//
}
else {
"echo "The file not found";
}
}
If true, I want to include that file in another place, but how?
I am trying to put the code in where I want, but the __DIR__ is not working as I expected. I don't know how to fix it to become right. Solution cannot be found in the tutorial.
I would use:
if( isset( $_GET['page'] ) ) {
switch( strtolower( $_GET['page') ) ) {
case 'download':
include '../download.php';
break;
case 'blog':
include '../blog.php';
break;
// ... And so on
default:
echo 'File not found';
}
} else {
echo 'No file specified';
}
This way you have full control over which files can be included!
You have to do like this.
Use file_get_contents()
if (file_exists($open)){
file_get_contents($open);
}
The answer to your question is yes, that will work. Whether or not you should use readfile(), file_get_contents() or include depends on the contents of the file. If you have php code in that file, you need either include or require. But this actually brings up another problem.
As mentioned in the comments by #anonymous, you are exposing yourself to an LFI attack. To resolve this, pages should be defined as a whitelisted array. You should then check if the page is in the whitelisted array. If it is not, do not attempt to open that file.
$pages = array(
'page1',
'page2'
);
Then you can make a reference and check if it exists.
if(in_array($_GET['page'], $pages)){
//now check for the file
$open = __DIR__.'/../view/html/'.$_GET['page'].'.php';
if(file_exists($open)){
include $open;
}
} else {
//page does not exist, redirect them elsewhere.
header('Location: http://example.com/404.php');
}
In my temp_file.php i have a variable (array)
<?php
$temp = array();
?>
No in my currentPage.php i am using this
<?PHP
include 'temp_file.php';
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>
I want to use this temp array to append a value each time i call the same file(CurrentPage.php) but include 'temp_file.php'; statement is executing every time and i am getting single element to my array that i was last pushed.
Can any one help me is there any way in php to skip this include statement from second time to till the session end.
Since you mention sessions in your question, you must know about them. Then, why don't you store $temp variable in session, like:
$_SESSION['temp'] = $temp?
This is what you need ?
<?PHP
session_start();
if (!isset($_SESSION['temp']) {
$_SESSION['temp'] = array($id);
} else {
$_SESSION['temp'][] = $id;
}
$f = array_count_values($_SESSION['temp']);
if ($f[$id] < $Limit) {
include 'temp_file.php';
} else {
// Error
}
?>
You can store your array in $_SESSION, so your temp_file.php will become:
<?php
if(!$_SESSION['temp']) {
$_SESSION['temp'] = array();
}
?>
and your current page like this:
<?php
include 'temp_file.php';
array_push($_SESSION['temp'],$id);
?>
And you have to be careful to destroy your session variables when it ends.
None of the answers are correct.
include_once() will not work for you, as you will be loading the page again, even if it is the second time, as with every load the php will execute from the top.
Because include_once() will only stop the redundant inclusion in same execution, not multiple.
Here is a simple workaround to your problem
<?PHP
if(!isset($_SESSION['include']) || !$_SESSION['included'])) {
// ^ Check if it was included before, if not then include it
include 'temp_file.php';
$_SESSION['included'] = true; //set a session so that this part never runs again for the active user session
}
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>
<?PHP
if (!isset($GLOBALS['included_temp_file']) || $GLOBALS['included_temp_file'] != true) {
include_once 'temp_file.php';
$GLOBALS['included_temp_file'] = true;
}
///giving some value to $id and calling same page again
array_push($GLOBALS['temp'],$id);
?>
Is there any way to check if an included document via include('to_include.php') has returned anything?
This is how it looks:
//to_include.php
echo function_that_generates_some_html_sometimes_but_not_all_the_times();
//main_document.php
include('to_include.php');
if($the_return_of_the_include != '') {
echo $do_a_little_dance_make_a_little_love_get_down_tonight;
}
So after I've included to_include.php in my main document I would like to check if anything was generated by the included document.
I know the obvious solution would be to just use function_that_generates_some_html_sometimes_but_not_all_the_times() in the main_document.php, but that's not possible in my current setup.
make function_that_generates_some_html_sometimes_but_not_all_the_times() return something when it outputs something and set a variable:
//to_include.php
$ok=function_that_generates_some_html_sometimes_but_not_all_the_times();
//main_document.php
$ok='';
include('to_include.php');
if($ok != '') {
echo $do_a_little_dance_make_a_little_love_get_down_tonight;
}
If you are talking about generated output you can use:
ob_start();
include "MY_FILEEEZZZ.php";
function_that_generates_html_in_include();
$string = ob_get_contents();
ob_clean();
if(!empty($string)) { // Or any other check
echo $some_crap_that_makes_my_life_difficult;
}
Might have to tweak the ob_ calls... I think that's right from memory, but memory is that of a goldfish.
You could also just set the contents of variable like $GLOBALS['done'] = true; in the include file when it generates something and check for that in your main code.
Given the wording of the question, it sounds as if you want this:
//to_include.php
return function_that_generates_some_html_sometimes_but_not_all_the_times();
//main_document.php
$the_return_of_the_include = include 'to_include.php';
if (empty($the_return_of_the_include)) {
echo $do_a_little_dance_make_a_little_love_get_down_tonight;
} else {
echo $the_return_of_the_include;
}
Which should work in your situation. That way you don't have to worry about output buffering, variable creep, etc.
I'm not sure if I'm missing the point of the question but ....
function_exists();
Will return true if the function is defined.
include()
returns true if the file is inclued.
so wrap either or both in an if() and you're good to go, unless I got wrong end of the stick
if(include('file.php') && function_exists(my_function))
{
// wee
}
try
// to_include.php
$returnvalue = function_that_generates_some_html_sometimes_but_not_all_the_times();
echo $returnvalue;
//main_document.php
include('to_include.php');
if ( $returnvalue != '' ){
echo $do_a_little_dance_make_a_little_love_get_down_tonight;
}
Among the following include methods which is the best to practice and why?
$page = $_GET['page'];
Method 1
$pages = array('home', 'blog', 'about');
if( in_array($page, $pages) )
{
include($page.'.php');
{
else
{
die('Nice Try.');
}
Method 2
if($page = 'home'){
include('home.php');
}else if($page = 'blog'){
include('blog.php');
}else if($page = 'about'){
include('about.php');
}
Method 3
if(str_replace("http://", "gth://", $page) == $page){
include_once $page;
}else{
die('Nice Try.');
}
or any other solutions? I dont prefer method 1 and 2 as it always needs to be updated everytime i add a new page.
extending/maintaining the first way is easiest, second way is worse. third way is no way to go, as it relies on user input to require pages... it is going to be a security hole
I believe that the first one is the best of the lot. You can try the second one, but it's for the freshers. And the third one is a BIG NO, because any fresher hacker could hack your "if" condition, & more loopholes will start creeping in.
As for your problem, on adding a new page to the array, every time a new page is created, for the first method, I have one solution:-
Let's say you're putting all the new pages in one folder "abc". Now just write one file code as the following, to read all the files / pages existing in that folder:-
<?php
$page = $_GET['page'];
$pages = array();
/**
* If you are using all the pages existing in the current folder you are in,
* then use the below variable as:-
* $path = ".";
*/
$path = 'abc/'; // Change the Path here, related to this Folder name
$handle = opendir($path);
while (($file = readdir($handle)) !== false) {
$pages[] = $file;
}
closedir($handle);
if( in_array($page, $pages) ) {
include($page.'.php');
}
else {
die('Nice Try.');
}
?>
So you see that the array is getting filled up dynamically, without the need to mention all the pages you create every time. And you are using the first method only. And keep the including pages in one separate folder, which you will need to include every time, in other main pages.
Hope it helps.
I'm working on a set up where the URLs will be along the lines of:
http://example.com/index.php?page=about
In reality they will rewritten to that from a simpler URL. index.php will include another page, using this code:
if ( isset( $_GET['page'] ) )
{
$page = $_SERVER['DOCUMENT_ROOT'] . '/pages/' . $_GET['page'] . '.php';
if ( is_file( $page ) )
include $page;
else
echo 'That page doesn\'t exist.';
}
Assuming everything in the pages folder is perfectly safe to be included, is this code secure? I've protected against the well-known directory hacks, i.e. using page=../../.passwd. Is there anything else I should be mindful of?
probably better to switch-case it
$page_name = $_GET['page'];
switch($page_name) {
case 'about':
$page = $_SERVER['DOCUMENT_ROOT'] . '/pages/about.php';
break;
case 'home': //fall through to default
case default:
$page = $_SERVER['DOCUMENT_ROOT'] . '/pages/home.php';
}
include $page;
This way, there isn't any injection problem.
Edit
Another solution would be to set up a class dedicated to handling the conversion of page name to address.
class Page {
static private $pages = array ("about", "home");
const DEFAULT_PAGE = "home";
static public function includePage($page_name) {
if (!in_array($page_name, self::$pages)) {
$page_name = self::DEFAULT_PAGE;
}
include ($_SERVER['DOCUMENT_ROOT'] . '/pages/'.$page_name.'.php';);
}
}
This way this is all managed inside a single class and future changes are easier to make without digging through other code
edited above to reflect request.
your code is ok, except that you should validate the parameter before use:
if(!preg_match("~^\w+$~", $_GET['page']))
die("page id must be alphanumeric!");
i won't recommend "switch" approach, because it decreases flexibility, which is the whole point of using dynamic includes.
You can also switch to a framework like CodeIgniter that will do it all for you and force you into adopting some coding standards which is always a good thing.
A very secure way to do this would be to first construct a list of directory contents, then match the user input to that list and use the value from the list for the include. Something in the lines of:
$sdir = $_SERVER['DOCUMENT_ROOT'].'/pages/';
$targetfile = $_GET['page'].'.php';
$filenames = scandir($sdir); // returns an array of directory contents
foreach ($files as $filename) {
if (($filename[0] != '.')
&& ($filename == $targetfile)
&& (is_file($sdir.$filename)) {
include $sdir.$filename;
break;
}
}
Or you could do it simply by:
$targetfile = $_GET['page'].'.php';
$sdir = $_SERVER['DOCUMENT_ROOT'].'/pages/';
$filenames = scandir($sdir);
if (in_array($targetfile,$filenames)) {
include $sdir.$filename;
}
But in the latter case you have to be really sure you get the check conditions right, and also use the regex check suggested in another answer. In the first case, you're only including from a list constructed from the directory contents, so it'll be safe even if the user manages to get some weird input through your checks.
When handling an arbitrary number of pages it might be best to ensure you have SEO friendly filenames. I would recommend alphanumeric filenames with hyphens or underscores:
define(DOCROOT, $_SERVER['DOCUMENT_ROOT']);
// assume you do not include file extensions in $_GET['page']
$page = trim(preg_replace('~[^\\pL\d]+~u', '-', $_GET['page']), '-');
if (is_file($page)) {
include DOCROOT . $page;
}