PHP dynamic includes

vicken · 08-11-2007, 06:55 PM

Quick question, How do Dynamic includes work, and more importantly how does linking work with dynamic includes. thanks in advance
Ian.

Peter · 08-11-2007, 08:22 PM

what exactly do you mean, dynamically include what, also in what ways are they dynamic.

A normal includes can be done in either of 4 ways:-

include('./path/to/document.php')
include_once('./path/to/document.php')
require('./path/to/document.php')
require_once('./path/to/document.php')

These all include the content of the php script (or whatever type of script it is and treats the content as if it were in the current document. The difference between the requore and includes functions is that a script that has an included file that cannot be found will throw a warning but continue. If you had used a require function then it will throw a warning plus a fatal warning (which will terminate the script). The function with once in the name simply stop you including/requiring a script already included (script will ignore and continue as usual.

You can use variables within the file names such as:-

$var = 'file.php'
require_once('./path/to/'.$var);

And of course that variable can come from anywhere a variable can normally come from. HOWEVER if you use a variable that the user has supplied then you should sanitize it 100%. I found a bug in a forum a few months ago that enabled you to include any file on the server because they were using this type of thing. They did not bother checking the file name and did not ensure it was within an allowed path.

vicken · 08-12-2007, 04:45 AM

What im trying to find out is. A guy i was talking to said he made a site that really made up of smaller content pages dynamicly included into the main page.

mvl · 08-12-2007, 04:49 AM

I think he was referring to using 'include(_once)' or 'require(_once)' within conditional statements like 'if .. then .. else' or 'switch' statements.

Xyzer · 08-12-2007, 04:50 AM

Ahh hello, Just saw your post, I think I know what you mean.
To access links like www.blah.com/index.php?page=about then it will include about.php. You will want to do something like in the post below:

PHP Code:

  <?php

// index.php

if(isset($_GET['page']) && strlen($_GET['page'] < 100)) {

$fileName = html_entities($_GET['page']);

$ext = '.php';

$file = $fileName.$ext;

if(is_file($file)) {

include($file);

} else {

echo 'Page name incorrect.';

}

} else {

echo 'Page not set.';

die();

}

?>

There may be errors inthat.. it's off the top of my head so may be slightly incorretct.

mvl · 08-12-2007, 05:08 AM

A little warning: the code below is unsafe. You should NEVER let the name of the file to be included (=executed) be specified in request vars without any checks.

Quote:

Originally Posted by localhost

Ahh hello, Just saw your post, I think I know what you mean.
To access links like www.blah.com/index.php?page=about then it will include about.php. You will want to do something like in the post below:

PHP Code:

  <?php

// index.php

if(isset($_GET['page']) && strlen($_GET['page'] < 100)) {

$fileName = html_entities($_GET['page']);

$ext = '.php';

$file = $fileName.$ext;

if(is_file($file)) {

include($file);

} else {

echo 'Page name incorrect.';

}

} else {

echo 'Page not set.';

die();

}

?>

There may be errors inthat.. it's off the top of my head so may be slightly incorretct.

Xyzer · 08-12-2007, 05:15 AM

Quote:

Originally Posted by leonardo

A little warning: the code below is unsafe. You should NEVER let the name of the file to be included (=executed) be specified in request vars without any checks.

You are completely wrong.

First, It cleans the name up and takes out any < > etc. and secondly it checks if the file actually exists. This is as good as you will get it, and if the file doesn't exist, it simply won't run.

Edit: Sorry, you are correct. As Hitch told me just now, you shouldn't let the user include a file like that becuase if you want to keep a file private or something the user could include it.. Sorry.. You win

vicken · 08-12-2007, 05:44 AM

ok this is really confusing....

08-11-2007, 06:55 PM	#1 (permalink)
vicken New Member Join Date: May 2007 Posts: 12 0.00 NP$ (Donate)	PHP dynamic includes Quick question, How do Dynamic includes work, and more importantly how does linking work with dynamic includes. thanks in advance Ian.

08-11-2007, 08:22 PM	#2 (permalink)
Peter Senior Member Join Date: Nov 2003 Location: Scotland Posts: 4,900 0.60 NP$ (Donate)	what exactly do you mean, dynamically include what, also in what ways are they dynamic. A normal includes can be done in either of 4 ways:- include('./path/to/document.php') include_once('./path/to/document.php') require('./path/to/document.php') require_once('./path/to/document.php') These all include the content of the php script (or whatever type of script it is and treats the content as if it were in the current document. The difference between the requore and includes functions is that a script that has an included file that cannot be found will throw a warning but continue. If you had used a require function then it will throw a warning plus a fatal warning (which will terminate the script). The function with once in the name simply stop you including/requiring a script already included (script will ignore and continue as usual. You can use variables within the file names such as:- $var = 'file.php' require_once('./path/to/'.$var); And of course that variable can come from anywhere a variable can normally come from. HOWEVER if you use a variable that the user has supplied then you should sanitize it 100%. I found a bug in a forum a few months ago that enabled you to include any file on the server because they were using this type of thing. They did not bother checking the file name and did not ensure it was within an allowed path. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

08-12-2007, 04:49 AM	#4 (permalink)
mvl fka: leonardo Join Date: Aug 2006 Posts: 720 30.00 NP$ (Donate)	I think he was referring to using 'include(_once)' or 'require(_once)' within conditional statements like 'if .. then .. else' or 'switch' statements. __________________ http://sxt.nl/ ForeignPropertyForSale.com SATAN.EU VOI.EU http://HealthyDishes.com

08-12-2007, 04:50 AM	#5 (permalink)
Xyzer Senior Member Join Date: Aug 2005 Location: United Kindom Posts: 1,506 90.70 NP$ (Donate)	Ahh hello, Just saw your post, I think I know what you mean. To access links like www.blah.com/index.php?page=about then it will include about.php. You will want to do something like in the post below: PHP Code: `<?php // index.php if(isset($_GET['page']) && strlen($_GET['page'] < 100)) { $fileName = html_entities($_GET['page']); $ext = '.php'; $file = $fileName.$ext; if(is_file($file)) { include($file); } else { echo 'Page name incorrect.'; } } else { echo 'Page not set.'; die(); } ?>` There may be errors inthat.. it's off the top of my head so may be slightly incorretct. Last edited by localhost; 08-12-2007 at 04:55 AM.

08-12-2007, 04:45 AM	#3 (permalink)
vicken New Member Join Date: May 2007 Posts: 12 0.00 NP$ (Donate)	What im trying to find out is. A guy i was talking to said he made a site that really made up of smaller content pages dynamicly included into the main page.

08-12-2007, 05:44 AM	#8 (permalink)
vicken New Member Join Date: May 2007 Posts: 12 0.00 NP$ (Donate)	ok this is really confusing....

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)