PHP dynamic includes

[vicken]

Quick question, How do Dynamic includes work, and more importantly how does linking work with dynamic includes. thanks in advance
Ian.

 

[Peter]

what exactly do you mean, dynamically include what, also in what ways are they dynamic.

A normal includes can be done in either of 4 ways:-

include('./path/to/document.php')
include_once('./path/to/document.php')
require('./path/to/document.php')
require_once('./path/to/document.php')

These all include the content of the php script (or whatever type of script it is and treats the content as if it were in the current document. The difference between the requore and includes functions is that a script that has an included file that cannot be found will throw a warning but continue. If you had used a require function then it will throw a warning plus a fatal warning (which will terminate the script). The function with once in the name simply stop you including/requiring a script already included (script will ignore and continue as usual.

You can use variables within the file names such as:-

$var = 'file.php'
require_once('./path/to/'.$var);

And of course that variable can come from anywhere a variable can normally come from. HOWEVER if you use a variable that the user has supplied then you should sanitize it 100%. I found a bug in a forum a few months ago that enabled you to include any file on the server because they were using this type of thing. They did not bother checking the file name and did not ensure it was within an allowed path.

 

[vicken]

What im trying to find out is. A guy i was talking to said he made a site that really made up of smaller content pages dynamicly included into the main page.

 

[mvl]

I think he was referring to using 'include(_once)' or 'require(_once)' within conditional statements like 'if .. then .. else' or 'switch' statements.

 

[Xyzer]

Ahh hello, Just saw your post, I think I know what you mean.
To access links like www.blah.com/index.php?page=about then it will include about.php. You will want to do something like in the post below:

<?php
// index.php
if(isset($_GET['page']) && strlen($_GET['page'] < 100)) {
$fileName = html_entities($_GET['page']);
$ext = '.php';
$file = $fileName.$ext;
if(is_file($file)) {
include($file);
} else {
echo 'Page name incorrect.';
}
} else {
echo 'Page not set.';
die();
}
?>

There may be errors inthat.. it's off the top of my head so may be slightly incorretct.

 

[mvl]

A little warning: the code below is unsafe. You should NEVER let the name of the file to be included (=executed) be specified in request vars without any checks.

Ahh hello, Just saw your post, I think I know what you mean.
To access links like www.blah.com/index.php?page=about then it will include about.php. You will want to do something like in the post below:

<?php
// index.php
if(isset($_GET['page']) && strlen($_GET['page'] < 100)) {
$fileName = html_entities($_GET['page']);
$ext = '.php';
$file = $fileName.$ext;
if(is_file($file)) {
include($file);
} else {
echo 'Page name incorrect.';
}
} else {
echo 'Page not set.';
die();
}
?>

There may be errors inthat.. it's off the top of my head so may be slightly incorretct.

 

[Xyzer]

A little warning: the code below is unsafe. You should NEVER let the name of the file to be included (=executed) be specified in request vars without any checks.

You are completely wrong.

First, It cleans the name up and takes out any < > etc. and secondly it checks if the file actually exists. This is as good as you will get it, and if the file doesn't exist, it simply won't run.



Edit: Sorry, you are correct. As Hitch told me just now, you shouldn't let the user include a file like that becuase if you want to keep a file private or something the user could include it.. Sorry.. You win :p :hehe:

 

[vicken]

ok this is really confusing....