Do all php include files have to be in an include directory, or is that just an organizational convenience?
Can I include files from any directory using the path to that directory?
Do html files that contain php includes have to have a php extension?
If so, I guess that would mean all of my html docs would be php if they all have the menus I am planning to "include". Is that acceptable protocol to have every file on your site be a php file?
A bow in humble reverence...
p.s. is there a good bible on this topic!?
You don't need to have your php includes anywhere particular, or have any file extension...
Calling include('/path/to/your/file/with/any/extension.extension'); should include it as a php file
Normally safer to call files with php code in with a php extension tho.
If you put PHP in a .html file and include() it, it should work. However if someone requests the .html file directly from the server they could be able to see all your PHP code un-processed which is dangerous. Therefore if you are doing this then either put these files in a non-web-accessible directory (e.g. above the document root) or change your web server configuration so that .html files are treated as PHP.
You should be able to include() any file but you may get problems accessing some directories if there is an open_basedir restriction in PHP (which you will probably find on most webhosts)
You can include files from anywhere on the server (depending on file access privileges and security restrictions, of course).
Using an includes directory helps keep things well organized, but is not required.
If a file contains PHP code, it should be saved as a .php file - otherwise if it is called directly the code will not run. This leaves you with a file which behaves differently depending on how it is accessed, which is probably not what you wanted and could be a security threat.
To get around this, I have seen some people override file-types so the server treats all .html files as PHP scripts - I do not recommend this, as it will slow processing of all files even if they do not include any PHP. Follow the Principle of Least Surprise - let your HTML files be .html and your PHP files be .php - and everyone will be happier.
James Musser:
I think you are referring to Apache SSI includes now
(see http://httpd.apache.org/docs/2.2/howto/ssi.html#standard-footer)
Not knowing the answer, I tried it, and here are my results
Extension Call method PHP runs
.html browser no
.html Apache #include no
.html PHP include() yes
.php browser yes
.php Apache #include yes
.php PHP include() yes
(Testing done with WinXP, Apache 2.2.3, PHP 5.2.26 and CentOS 5.2, Apache 2.2.3, PHP 5.1.16)
So your answer is YES - if you wish to call a PHP script through an Apache SSI #include, the script must have a .php extension (or some other extension, ie .php4 .php5 etc, which is registered with Apache as being a PHP script), otherwise it will NOT run.
Related
I'd like to put in place a php logging script inside an .exe file (which is a plain text file anyways, to log additional things not shown up in apache logs, whos accessing for example /joomla/ecard.exe and further processing of malicious access attempts) - and no i don't run a joomla there :) ). The logging/processing part is no problem, but Apache always treats the .exe as octet stream and thus firefox is downloading the .exe instead of executing the php code inside it.
I repeat: I don't want to execute an exe (what would require a windows host anyway and run through phps exec command) I'd like to have an exe treated as a php script.
I've already tried to modify the .htaccess file and change the Handler / Type of exes, but with no luck. Last test was like this:
cat .htaccess
AddHandler application/x-httpd-php .exe
AddType application/x-httpd-php .exe
Any ideas? It could have something to do with the file magic / MIME-TYPE?
On a standard Unix LAMP installation, how can I determine what file extensions will be parsed by PHP?
I'm thinking in terms of shared hosting environments such as GoDaddy, Hostgator, etc... Where LAMP is already installed and root access is not provided. When logging into an unfamiliar environment, how can I determine what file extensions will be parsed by PHP by default?
Is there any "master list" that just shows what extensions PHP or is preconfigured to parse? Or rather which extensions Apache will send to PHP to be parsed?
If using Apache, take a look into its httpd.conf file.
All extensions listed in "AddType application/x-httpd-php" will be send to the PHP interpreter (usually looks like "AddType application/x-httpd-php .php .phtml")
If you can't access these configuration files because your limited by the hosts permissions. You could try the brute force way. Place a file on your server, in (usually 'public_html' or 'www') with each one of the extensions you suspect will work with a little piece of code like.
<?php
echo phpinfo();
?>
If the server returns actual info on your server then that works.
Remember to delete these files after use, dumping phpinfo() to the world is a security risk.
How can I see a webpage with extension php without uploading it to the server?
I want to be able to see php files offline in order to preview a page before uploading it to the server.
My searches revealed that I need to have php installed. My OS is Ubuntu, and I did install php5 and apache2, but I can't figure out how to setup the server in order to see my files which are in /home/user/WWW
Is it possible to have a clear explanation how to setup a server properly and how to make it "see" my webpages? I'm not very advanced in web designing. I just want to design a simple webpage displaying my research. I found that writing in php makes things like header, footer easier to include in every page. On the other side, I really want to preview the files before uploading them...
Change the directory DocumentRoot in httpd.conf and restart your Apache server
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/home/user/WWW"
If you just want to test your PHP without serving a Web page you can run php at a shell prompt with
$ php myScript.php
(see also How can I run a php without a web server?)
As suggested by Ologho Cyril Paul in its comment, XAMPP does the trick. It is easy to install, and its visual launcher has a config button which lets you change the DocumentRoot to your preferred folder. Once the server is active, typing localhost/your_site in your browser leads you to the webpages.
After changing all .html files into .php I found out that it is possible to make php code work in html. Too bad everyone says "it is not possible"... Just make a file called .htaccess in the folder containing your html files and add to it the following line:
AddHandler application/x-httpd-php .html
Now you can write .php code in html. (this was taken from other questions like this)
I want to create a Chrome app, but I have the same problem as this guy. When I add the .php extension and I run the app, it downloads the file.Should I do something more? I have installed PHP (if that means to download and extract the file in the same folder with my app, I'd be wrong). I'm a beginner... :(
EDIT
Some of you told me to install Apache or IIS. I said earlier that I want to create a Chrome app.
Do I need to install Apache? Where would I run it (I don't have a local host, Chrome extensions and apps use the "chrome-extension://" prefix, which means it is hosted on the browser). What about more information (you've all been helpful by now)?
EDIT 2
It turns out that Google Chrome doesn't allow developers toto run PHP inside Chrome apps.
Thanks for your help!
This means the server is either missing the PHP plugin (either CGI or otherwise) or the the server doesn't recognize that it must pass a file with the extension in to PHP for pre-processing.
If you're on a host out of your control (e.g. using GoDaddy) then make sure they allow PHP (some of the free hosts won't have PHP as they deam it an unnecessary security risk). If it's your own server, make sure you installed PHP and it's enabled.
If it DOES has PHP installed, but you're not getting it to parse, you'll need to bind the .php extension to the PHP handler using either an .htaccess file or the config.
For apache, your http.conf needs the following (assuming you already have PHP plugin):
AddType application/x-httpd-php .php
Or for something more broad, place an .htaccess file with the above code in your hosted directory.
EDIT
You mentioned you installed PHP. I'm going to assume you're using Apache, as IIS now has a Web Extensions installer that would (typically) take care of the "hard part" for you. So, having said that, open your http.conf (Usually located in C:\Program Files\Apache Software Foundation\Apache2.2\conf\ [using 2.2 as a demo version]). Within that file, at the bottom, add the following [replacing files paths to those that correlate to your own install]:
LoadModule php5_module "C:/php/php5apache2_2.dll"
AddType application/x-httpd-php .php
PHPIniDir "C:/php"
A better reference can be found by googling "install PHP [version] on [webserver]". Here's just one of the results I was able to locate.
Do you have a server installed on your machine? PHP is a server-side script & unlike Javascript you cannot run it without a server.
PHP files are server side code only. So you need to install a local server like APACHE to get the PHP script to execute.
PHP must be run on a web server, not your desktop. Install PHP on your webserver, then open the PHP file from a web browser via: http://localhost/yourfile.php
You need an Apache server on your computer. download xampp: http://www.apachefriends.org/en/xampp.html and put your files in the htdocs folder.
EDIT:
This will explain how to install a PHP environment: http://www.tanguay.info/web2008/tutorial.php?idCode=phpDevelopmentQuick
For required/included files in PHP, is it better to use .inc extensions vs .inc.php vs .php extensions?
Sometimes people use the .inc extension and then do some server configuration to keep .inc files from being accessed via a web browser. This might be good, if done absolutely correctly by a knowledgeable sysadmin, but there's a better way: Any file that's not supposed to be accessed by web users should be kept outside your document root. Once these files are off the web, so to speak, you can use whatever extension you want. .php is definitely a sensible choice for syntax highlighting, general sanity, and so on.
Apache can sometimes (due to bugs or severe crashes) serve .php files as text (happend to me a few times on shared hosting).... I think you can use any extension you want as long as you don't store your files in a public folder.
Let's say your site is in /home/user/public_html/
create another folder /home/user/lib_php/
have the files:
(1) .../lib_php/one.class.php with
class one {
//...
}
(2) .../lib_php/two.function.php with
function two() {
//...
}
and you have the main index.php in /public_html
<?php
include_once('../lib_php/one.class.php');
include_once('../lib_php/two.function.php');
$x=a;
$b=two($x);
$c=new one;
//etc..
or
<?php
require_once('/home/user/lib_php/the.file.php');
This way you are taking every precaution the files are not reachable directly but can be used by your scripts...
My personal preference is that anything in the document root is a .php file, to indicate it's directly executable by the web server, and anything that's a library is a .inc file stored in a parallel directory, to indicate it's NOT directly executable.
My standard configuration is
/home/sites/example.com/html/ - anything here is 'safe' to expose if PHP fails and serves up raw code
/home/sites/example.com/inc/ - libraries, config files with passwords (e.g. the database connection class with DB credentials), etc.. Anything that shouldn't be exposed as there's no reason for it.
While you can certainly configure Apache to deny access to .inc files and keep them inside the webroot, then you're depending on Apache to keep you safe. If PHP can fail within Apache and expose your code, then the .inc blocks can ALSO fail and expose your code's innards as well.
Of course, if Apache's coughing blood all over the floor, there's no reason that the directory traversal protection can't fail as well and let someone do http://example.com/../inc/seekritpasswords.txt.
At some point you just have to accept that if something's stored anywhere on the web server, there's a possibility that a failure may allow access to the raw data and expose everything. How much time and effort you want to expend on protecting against that is up to you.