I've read so many different inputs on this, so I figured I would ask on here.
Is there anything wrong or dangerous about using full links inside a php include?
Examples,
<?php include('http://www.domain.com/blah.php'); ?>
<?php
define('WEB_ROOT', './'); // relative path to /
include('layout.php');
?>
compared to using
<?php
include('../blah.php');
?>
include('http://www.domain.com/blah.php') goes out and makes an actual HTTP request to the web server, returning the contents of the URL after the web server has processed them, just as you'd see when entering that URL in your browser.
include('../blah.php') includes the local file from disk one directory higher.
The two are completely different things and you do not want to include a URL when you mean to include a local file. Even if the two are supposedly the same file, PHP cannot know that. Accessing a URL and accessing a local file path are entirely different things. It's not possible to infer that the two are the same.
<?php include('http://www.domain.com/blah.php'); ?> is very dangerous, you can't know in 100% what is the code you will get!!! becuse PHP do HTTP request and someome can do ManInTheMiddel attack and to change the code you will get, and to hack your site.
Related
I have a webpage which holds the number of the page to display:
mydomain.net/index.php?page=42
This works alright. Now I want to display the page only when a particular cookie is set, and I moved most of the body to an include file, so that index.php only has
<?php
if ($cookie_ok):
include("http://mydomain.net/index_d6skrif9.php");
else:
include("http://mydomain.net/noaccess.inc");
endif
?>
and now the $_GET["page"] in the include file, which is supposed to retrieve the page number returns nothing.
I read that $_GET[] is a superglobal and that superglobals' scopes are across include files. So what's wrong here, and how can I use the page number in the include file?
$_GET works in included files, it does not work in included HTTP resources.
The PHP in index_d6skrif9.php will be executed by mydomain.net before it gets to the PHP program with the include statement in it.
Use a local file path, not an HTTP URL.
include("index_d6skrif9.php");
Alternatively, pass the value to the server you are pulling the include from:
include("http://mydomain.net/index_d6skrif9.php?page=" + urlencode($_GET['page']));
Note that the latter approach has far more opportunity for things to go wrong and is much less efficient than a local file included, so it isn't recommended if you can help it.
You'll need to include them locally, not over-the-web:
if ($cookie_ok)
include("index_d6skrif9.php");
else
include("noaccess.inc");
endif
By using URLs, you're making a web-request and the server executes the PHP in the file and returns the contents (making it have its own set of super-globals).
I have this code inside of my header
<?php
define('RELPATH','http://www.saint57records.com/');
include_once(RELPATH.'sidebar.php');
?>
and an example line of code in the sidebar
<img style="margin:10px;" src="<?php print RELPATH;?>images/logo.png" width="60px"/>
but when it gets to the page it includes the file correctly but all the links inside of the file just print RELPATH instead of the web url like this
<img style="margin:10px;" src="RELPATHimages/logo.png" width="60px"/>
It works fine on the other pages of my website, just not inside of Wordpress. Does anyone know what might be causing this issue?
The short answer is to provide a filesystem path to RELPATH, not a web URL.
The long answer is that when you use a web URL to include a PHP file, the PHP file will be treated like an external source. It will be called remotely, executed in a process of its own, and return the results. A constant defined previously can not have an effect in this remote resource.
If http://www.saint57records.com/ is on a different server, you'll have to pass RELPATH to it some other way, e.g. through a GET variable (which you'd have to sanitize with htmlentities() prior to use.) However, including content from a remote server in this way isn't good practice. It'll slow down your page as it'll make an expensive web request. If the target server is down, your page will time out.
if I had several websites and I would want to read "file.html" in every website, how should I do that? The file.html would be just like this:
<h1>Hot news</h1>
<p>article</p>
I know I can use php include or require,
<? include 'file.html'; ?>
or jQuery, but only within a domain.
.load("file.html");
How should I do that cross-domain?
PS: And yes, I know that's insecure
You can use PHP for it:
<?php echo file_get_contents('http://....'); ?>
The reason why include doesn't work is that url includes are disabled by default since they are horribly insecure - the included document is handled as PHP. However, with file_get_contents no PHP code can be injected and thus it's pretty safe (except client-side things such as XSS if the remote site sends you bad JavaScript code).
I am experiencing some very strange behavior when including a php file.
I need to load a script that is not on the same domain as the page that will be calling it.
I have already created a system that works using cURL, but I just recently found out that many of the sites that will need to have access to this script, do not have cURL installed.
I did, however, notice that these sites have allow_url_fopen set to on. With this knowledge I got started creating a new system that would let me just include the script on the remote site.
Just testing this out, I coded the script test.php as follows:
<?php
echo("test");
?>
I include this script on the remote page using:
<?php
include("http://mydomain.com/script.php");
?>
and it works no problem and "test" is printed at the top of the page.
However, if I add a function to the script and try to call the function from the page, it crashes.
To make it worse, this site has php errors turned off and I have no way of turning it on.
To fully make sure that I didn't just mess up the code, I made my test.php look like this:
<?php
function myfunc()
{
return "abc";
}
?>
Then on the page including the file:
<?php
include("http://mydomain.com/script.php");
echo(myfunc());
?>
And it crashes.
Any ideas would be greatly appreciated.
This is not odd behavior, but since you load the file over the internet (note in this case the World Wide Web), the file is interpreted before it is sent to your include function.
Since the script is interpreted no functions will be visible, but only the output of the script.
Either load it over FTP or create an API for the functions.
My guess: The PHP of http://mydomain.com/script.php is interpreted by the web server of mydomain.com. All you're including is the result of that script. For a simple echo("test"), that's "test". Functions do not produce any output and are not made available to the including script. Confirm this by simply visiting http://mydomain.com/script.php in your browser and see what you get. You would need to stop mydomain.com from actually interpreting the PHP file and just returning it as pure text.
But: this sounds like a bad idea to begin with. Cross-domain includes are an anti-patterns. Not only does it open you up to security problems, it also makes every page load unnecessarily slow. If cross-domain inclusions is the answer, your question is wrong.
You are including the client side output from test.php rather than the server-side source code. Rename test.php to test.phpc to prevent executing the script. However this is dangerous out of security point of view.
I know how to find out the current domain name in PHP already, the problem is when I put this code into a file and then include it from another server it shows the domain name of where the file is located. Is there any way for it to find out the domain or the site containing the include() code?
Are you doing something like:
include 'http://example.com/script.php';
?
NB: This approach generally considered to be a bit of no-no from a security point of view.
Anyway, the included script is actually being executed on the other server, then the output of the script is being executed on the current server. You can get around this by echoing actual code, something like this:
Currently:
<?
//do something
echo '$v = '.$_SERVER['HTTP_HOST'].';'
?>
Other way:
<?
//do something
?>
$v = $_SERVER['HTTP_HOST'];
But then maybe I'm misunderstanding your question.
You can run it locally using "eval" then it should use the proper domain
store your script as a text file then download it and then execute:
eval(file_get_contents("http://someDomain.com/somePhpscript.txt"));
If you include a PHP page from another server, the page will get parsed by the original server and the result will be sent to you - the page you receive is nothing but text, no PHP code included.
This is a crude hack, but on the remote server, you could look up the domain name of $_ENV['REMOTE_HOST'].
This would be the domain name of the guy doing the "include" from the perspective of the remote server.
I assume you have some reason for wanting to implement this strange topology--restrictions in a virtual host environment, or something. I would suggest looking into alternative infrastructure if possible.