I have a very strange issue with a website that I have created.
Basically, I have a site built with a "Poor Man's Router" so that when I go to site.com/contact, it finds index.php in that directory which has a few variables set and an include which grabs my site's skeleton (main structure). Inside the skeleton is where I have another include that grabs the content for the specific page, which is designated by the variable which is set in the index.php file that I had previously mentioned.
So the problem is that when I go to this contact page, I have an contact form on it which is supposed to send an email once it is submitted. Everything appears fine, but the PHP that is on the contact page's content file is never executed. So I seemed to have narrowed it down to an issue where if the content file is deeper than the directory of the skeleton file, it will not work. Let me show you how the directories are:
/
--skeleton.php
--/content
----contact.php
--/contact
----index.php
So it goes index.php -> skeleton.php -> contact.php
The PHP in contact.php is not working, unless I put it in the root directory. Why does it do this? I know that what I am doing is not the most ideal way, but that's not what I am asking for help with. I just need to know why the PHP is not being executed when the files are organized this way.
//INDEX.PHP
$content = 'contact.php';
include('../skeleton.php');
//SKELETON.PHP
include($site . 'content/' . $content);
//CONTACT.PHP
if($send_info == 1) {
// send email
} else {
// show form
}
Without seeing more code, one suggestion would be that your include files are referencing incorrect paths. Do you know that the skeleton.php and contact.php files are loading? Can you put some debugging lines in each file to echo an output message to show that the files are loading and where they get to? Can you change the include('filename') to require('filename') to see if they are actually getting included?
Related
the dilemma I have is my website index.php calls to a template php file on a button press like this:
case 'main':
$page = getTemplate('main.php', array('user'=>$user));
echo $page;
break;
This main.php template file is in a folder in "/var/www/template/" How do I stop people going to: domain.com/template/main.php and viewing the code for that page. I think the solution would be to make the localhost be able to pull the it and display it rather than the user or something along those lines. Any help would be appreciated thank you.
Like a comment said, the PHP file will not be printed, it will print the HTML result that the php file produce.
Maybe it produces some errors indicating vulnerabilities to a potential attacker ? If that's your case, you should handle this directly into the php code or use a .htaccess at the root of your site. You can't find some help there.
How to deny access to a file in .htaccess
Managed to fix this by putting this at the top of the php page I wanted to render:
<?php
if (!isset($_GET['page'])) {
header('Location: /main');
exit();
}
?>
This means if someone goes "domain.com/template/main.php" to attempt to view the source code, it will redirect them back to the main webpage for my site. Thanks for your suggestions however.
I am looking to use some php pages I created as a template across multiple subdomain websites. I want to change minor things across each subdomain (what database is being used and some basic settings but this is not important). I do not want to copy over all files every time I want to create a new subdomain as this will be a pain when making updates. So I want to be able to push updates to my "live" site that acts as a template for all other sites.
This is my current testing layout
I have a "live" site that looks something like this:
-dashboard
-division
-division->lookup
Each of these directories have an index.php that I want included when the appropriate url is visited.
For each subdomain website, I currently have:
-.htaccess file
-errors (includes 404.php)
Within my .htaccess file, I have the 404 page as this 404.php page and that page looks like this:
if((#include "/var/www/live".$_SERVER['REQUEST_URI']."/index.php") === false){
echo "DOES NOT EXIST";}
If the url you are trying to go to exists in "live" it includes it and it basically mirrors it.
This seems to work except for when I try a url that is more than 1 directory deep. For example, if I am trying to go to test.myurl.com/division/lookup I get Google's 404 page (This test.myurl.com page can’t be found).
I am feeling like there has to be an easier way to do this and I am doing this all wrong. Where can I look to do this better? Any tips?
This will check if the file exists and should address the depth issue
<?php
$filename = $_SERVER['DOCUMENT_ROOT'].$_SERVER['REQUEST_URI'];
if (is_file($filename)) {
// file exists as requested
require_once $filename;
exit;
}
http_response_code(404); // may be unnecessary
?>
<!doctype html> ... <!-- 404 page content -->
The context:
I'm building a PHP 7 web application, it uses a PHP session to login and check to see if the user is logged in on each page. Here is the basic makeup of most pages:
<?php session_start(); ?>
<?php include 'the_header_and_menu.php'; ?>
<p>Page content</p>
<?php include 'the_footer.php'; ?>
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory. This PHP process does five checks, the most basic one included below.
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == 'false') { // If loggedin is not set, or is false, then run this block.
header('Location: http://example.com/index?eject=noLogin'); // Send the user to the eject page.
die(); // Exit the process.
}
Process summary: User logs in, which creates a session and its variables. When the user loads a page, a session check is performed to make sure that the user's account is valid and authorised. If the account or session is no longer valid/authorised, then the user is redirected to the login page (index).
The issue: When someone who's not logged in enters http://example.com/dashboard, they are ejected using the first check (featured above). However, if they enter http://example.com/process/, the checks seem to count for nothing and the user is shown the page. This page does not just include a directory listing, but calls the http://example.com/process/index.php file to represent it instead.
The question: How can I apply the same logic that protects individual pages like dashboard.php, to the case of protecting directory indexes?
Own answer:
The issue here was one which was simple, but overlooked.
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.
Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.
include_once '../mainfolder/php/subfolder/sessioncheck.php';
However, because the file was being included to a subdirectory, it should've included a further ../ operator.
include_once '../../safe/php/users/sessioncheck.php';
The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.
Thank you to Daniel Schmidt, who got me looking in the right direction!
Directory indexes don't usually come from PHP - they are served by your webserver (nginx, apache, ..). Today, there is obviously no need to have that indexes enabled.
It looks like you're not sending each request to you're PHP process(es). I tend to suggest checking your webserver configuration.
The issue here was one which was simple, but overlooked.
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.
Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.
include_once '../mainfolder/php/subfolder/sessioncheck.php';
However, because the file was being included to a subdirectory, it should've included a further ../ operator.
include_once '../../safe/php/users/sessioncheck.php';
The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.
I have a form that submits to itself and when I submit I get a header and the background but no content on the page, nothing below title in the html. It doesnt write to my database either, no errors, and the styles are there.
I think it has to do with my mysql connection.
I've uploaded everything here https://www.yousendit.com/download/bHlCVWRuTkFTRTUzZUE9PQ
This is for my project as I learn php and mysql and this is a wall I cant get past. Please help!
In index.php file you have:
require_once "quoteit-functions.php";
require_once "quoteit-post.php";
and than you have in quoteit-post.php file:
require_once "quoteit-functions.php";
remove that line because that file is automatic included in that file, instance is used from index.php file.
This was the solution via my teacher late last night:
The main problem that you don't see anything displayed was because you close the connection in quoteit-post.php - and that's before you attempt to reuse "$db" to display and do the count. I moved it out to index.php.
I was following a tutorial I found on how to create a simple login using sessions and a database. I followed it to the T (with the exception of tidying up all of the code because theirs was a mess and I'm OCD like that).
I get no errors at all on the page, it just comes up with a blank screen and I can't work out for the life of me why it's doing. I've been trying to get it working for the best part of about 3 hours.
There are 4 files:
index.php - Contains the form for the login script
login.php - Where the form data is processed, which is "require_once"'d into the index.php page at the very start.
config.php - Database connection info
cpanel.php - Where I want the user to be sent once they logged in
And here are those 4 files in action (although I guess they're not in action since they don't actually work!):
index.php
login.php
config.php
cpanel.php
And here's the tutorial I used.
Lastly here's a link to the original (non-source) index.php file
Hope you guys can help, it's driving me crazy now.
Just change
if($jackin) {
to
if(isset($jackin)) {
in login.php file
Also put ini_set('short_open_tag',1)
in your cpanel.php file if short_open_tag is disabled in php.ini
You should try error_reporting(E_ALL); for additional Error output. Check all POST Variables with an echo() / var_dump(), Check the Ifs also with echo() and make sure thats everything is OK.
The echo for $error is doubled.
Additional you should not use the Location Element on the Header with an relative Path.