 |
|
|
|
Next: Help with opening a report
|
| Author |
Message |
External
Since: Jan 15, 2008
Posts: 15
|
(Msg. 1) Posted: Sun Jan 27, 2008 11:04 pm
Post subject: include within include, using a relatve path
Archived from groups: comp>lang>php (more info?)
|
|
|
Hi,
I have noticed something in PHP's include mechanism that surprised me.
If you include a script that itself contains an include command using
a relative path, that path is interpreted from the position of the
'outermost' script, not that of the script in which the relative path
appears. Here is a simplified example, with error checking, php tags
etc. left out for clarity. I'll use the extension ".inc.php" to mark
scripts that are intended to be included.
Let x be the full path to some point in the file system, and imagine
that the server has been configured so that x/htdocs is reachable through
some URL, but x itself is not.
Say there is an include script doing database access and some more setup,
like this:
*** x/htdocs/setup.inc.php ***
require "../include/secrets.inc.php";
$link = mysql_connect($server, $user, $password);
mysql_select_db($database, $link);
/*
imagine more code that reads initial stuff from the database
*/
***
Because this script does more than just connect (and other included
scripts might also connect and do other "extra" things), the actual
secrets are taken out and appear just once, like this:
*** x/include/secrets.inc.php ***
global $server, $user, $password, $database;
$server = "...";
$user = "...";
$password = "...";
$database = "...";
***
x/include can not be reached by an URL, so we have implemented a common
piece of security advice.
Now of course we have scripts in, say, x/htdocs/script1.php, that use
this setup through the statement
*** x/htdocs/script1.php (extract) ***
include "setup.inc.php";
***
This all looks fine, but it fails if x/htdocs/setup.inc.php is included
from files at other depths in the file tree under x/htdocs. If I have
a script x/htdocs/subdir/script2.php that says:
*** x/htdocs/subdir/script2.php (extract) ***
include "../setup.inc.php";
***
then the relative path "../include/secrets.inc.php" in setup.inc.php
causes PHP to look for "x/htdocs/include/secrets.inc.php", as reported
by an error caused by the "require" statement. It must therefore be the
case that the relative path after "require" is interpreted relative to
x/htdocs/subdir/script2.php - my expectation would have been that it's
relative to x/htdocs/setup.inc.php, i.e. to the script in which the
"require" statement actually appears.
I do have a solution that I'm not fully comfortable with: after the
"require" within x/htdocs/setup.inc.php I put an expression using regular
expression replacement and __FILE__, similar to this:
*** x/htdocs/setup.inc.php (extract) ***
require ereg_replace('/htdocs/.*', '/include/secrets.php', __FILE__);
***
ereg is used instead of preg here because preg would include the first
slash as a delimiter of the regular expression, not a required character.
You will know that __FILE__ behaves somewhat similarly to the
"include" mechanism: it evaluates to the path of the 'outermost' script,
i.e. "x/htdocs/script1.php" or "x/htdocs/subdir/script2.php". One reason
for my discomfort is that I can't exactly know where within __FILE__
the string "/htdocs/" appears. It will appear at least once because my
scripts are under x/htdocs - but what I call "x" will be a longer path
that might in theory contain "/htdocs/" somewhere earlier.
I'd be happier with an expression that, if used in x/htdocs/setup.inc.php,
would evaluate exactly to "x/htdocs/setup.inc.php" - some special variable
whose meaning would be 'the script file this line actually appears in'. I
haven't found such a variable. Have I missed something?
I could use $_SERVER["DOCUMENT_ROOT"] to construct an absolute path
within the server's file system, but for that I'd need to know where
x is in relation to the document root. (It might not even be under that
root if aliases are used.) So I'd prefer to get by without that knowledge.
Of course I could get rid of my excessively complicated setup and
avoid the 'double include' structure. I'm considering that anyway, but
I'd expect others to stumble over the same expectation of how 'double
includes' work, so I'd be curious about other solutions.
So I'm wondering: have other more experienced PHP programmers come across
the same problem, and is there a 'canonical' solution?
Thanks for reading all this, and for your replies.
Sebastian Lisken |
|
| Back to top |
|
 | |
External
Since: Aug 11, 2004
Posts: 1367
|
(Msg. 2) Posted: Sun Jan 27, 2008 11:04 pm
Post subject: Re: include within include, using a relatve path [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Sebastian Lisken wrote:
> Hi,
>
>
> So I'm wondering: have other more experienced PHP programmers come across
> the same problem, and is there a 'canonical' solution?
>
> Thanks for reading all this, and for your replies.
>
> Sebastian Lisken
>
>
It's very easy. Make every include absolute. You can find the path to
the server's document root via $_SERVER['DOCUMENT_ROOT']. Reference
every include from there and you'll be in much better shape.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.TakeThisOut@attglobal.net
================== |
|
| Back to top |
|
| |
External
Since: Jan 15, 2008
Posts: 15
|
(Msg. 3) Posted: Sun Jan 27, 2008 11:04 pm
Post subject: Re: include within include, using a relatve path [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Jerry Stuckle wrote:
> It's very easy. Make every include absolute. You can find the path to
> the server's document root via $_SERVER['DOCUMENT_ROOT']. Reference
> every include from there and you'll be in much better shape.
Thanks Jerry, I know this would be a solution. I did consider this near
the end of my (admittedly very long) post and explained why I regard
such a solution less than ideal. Could you think of another one not
using the document root?
Sebastian Lisken >> Stay informed about: include within include, using a relatve path |
|
| Back to top |
|
| |
External
Since: Aug 11, 2004
Posts: 1367
|
(Msg. 4) Posted: Sun Jan 27, 2008 11:04 pm
Post subject: Re: include within include, using a relatve path [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Sebastian Lisken wrote:
> Jerry Stuckle wrote:
>> It's very easy. Make every include absolute. You can find the path to
>> the server's document root via $_SERVER['DOCUMENT_ROOT']. Reference
>> every include from there and you'll be in much better shape.
>
> Thanks Jerry, I know this would be a solution. I did consider this near
> the end of my (admittedly very long) post and explained why I regard
> such a solution less than ideal. Could you think of another one not
> using the document root?
>
> Sebastian Lisken
>
>
Yes, I read that. But there isn't a better one.
You should *always* know where a file is relative to DOCUMENT_ROOT. And
it can be above the directory.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.DeleteThis@attglobal.net
================== >> Stay informed about: include within include, using a relatve path |
|
| Back to top |
|
| |
External
Since: Dec 10, 2007
Posts: 9
|
(Msg. 5) Posted: Mon Jan 28, 2008 6:03 am
Post subject: Re: include within include, using a relatve path [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Jan 27, 6:36 pm, Sebastian Lisken <Sebastian.Lis...@Uni-Bielefeld-
deletethis.de> wrote:
> Hi,
>
> I have noticed something in PHP's include mechanism that surprised me.
> If you include a script that itself contains an include command using
> a relative path, that path is interpreted from the position of the
> 'outermost' script, not that of the script in which the relative path
> appears. Here is a simplified example, with error checking, php tags
> etc. left out for clarity. I'll use the extension ".inc.php" to mark
> scripts that are intended to be included.
>
> Let x be the full path to some point in the file system, and imagine
> that the server has been configured so that x/htdocs is reachable through
> some URL, but x itself is not.
>
> Say there is an include script doing database access and some more setup,
> like this:
>
> *** x/htdocs/setup.inc.php ***
>
> require "../include/secrets.inc.php";
> $link = mysql_connect($server, $user, $password);
> mysql_select_db($database, $link);
> /*
> imagine more code that reads initial stuff from the database
> */
>
> ***
>
> Because this script does more than just connect (and other included
> scripts might also connect and do other "extra" things), the actual
> secrets are taken out and appear just once, like this:
>
> *** x/include/secrets.inc.php ***
>
> global $server, $user, $password, $database;
>
> $server = "...";
> $user = "...";
> $password = "...";
> $database = "...";
>
> ***
>
> x/include can not be reached by an URL, so we have implemented a common
> piece of security advice.
>
> Now of course we have scripts in, say, x/htdocs/script1.php, that use
> this setup through the statement
>
> *** x/htdocs/script1.php (extract) ***
>
> include "setup.inc.php";
>
> ***
>
> This all looks fine, but it fails if x/htdocs/setup.inc.php is included
> from files at other depths in the file tree under x/htdocs. If I have
> a script x/htdocs/subdir/script2.php that says:
>
> *** x/htdocs/subdir/script2.php (extract) ***
>
> include "../setup.inc.php";
>
> ***
>
> then the relative path "../include/secrets.inc.php" in setup.inc.php
> causes PHP to look for "x/htdocs/include/secrets.inc.php", as reported
> by an error caused by the "require" statement. It must therefore be the
> case that the relative path after "require" is interpreted relative to
> x/htdocs/subdir/script2.php - my expectation would have been that it's
> relative to x/htdocs/setup.inc.php, i.e. to the script in which the
> "require" statement actually appears.
>
> I do have a solution that I'm not fully comfortable with: after the
> "require" within x/htdocs/setup.inc.php I put an expression using regular
> expression replacement and __FILE__, similar to this:
>
> *** x/htdocs/setup.inc.php (extract) ***
>
> require ereg_replace('/htdocs/.*', '/include/secrets.php', __FILE__);
>
> ***
>
> ereg is used instead of preg here because preg would include the first
> slash as a delimiter of the regular expression, not a required character.
>
> You will know that __FILE__ behaves somewhat similarly to the
> "include" mechanism: it evaluates to the path of the 'outermost' script,
> i.e. "x/htdocs/script1.php" or "x/htdocs/subdir/script2.php". One reason
> for my discomfort is that I can't exactly know where within __FILE__
> the string "/htdocs/" appears. It will appear at least once because my
> scripts are under x/htdocs - but what I call "x" will be a longer path
> that might in theory contain "/htdocs/" somewhere earlier.
>
> I'd be happier with an expression that, if used in x/htdocs/setup.inc.php,
> would evaluate exactly to "x/htdocs/setup.inc.php" - some special variable
> whose meaning would be 'the script file this line actually appears in'. I
> haven't found such a variable. Have I missed something?
>
> I could use $_SERVER["DOCUMENT_ROOT"] to construct an absolute path
> within the server's file system, but for that I'd need to know where
> x is in relation to the document root. (It might not even be under that
> root if aliases are used.) So I'd prefer to get by without that knowledge.
>
> Of course I could get rid of my excessively complicated setup and
> avoid the 'double include' structure. I'm considering that anyway, but
> I'd expect others to stumble over the same expectation of how 'double
> includes' work, so I'd be curious about other solutions.
>
> So I'm wondering: have other more experienced PHP programmers come across
> the same problem, and is there a 'canonical' solution?
>
> Thanks for reading all this, and for your replies.
>
> Sebastian Lisken
Hey Sebastian! I was bit by this too, just a few weeks ago. Sadly,
it doesn't seem like there is a much better solution than the absolute
path that's been mentioned. >> Stay informed about: include within include, using a relatve path |
|
| Back to top |
|
| |
| Related Topics: | php include - I like to change a site from frames to a site that uses php pages with include. But the site contains subfolders and in those subfolders are images. I want to make a page, say index.php that includes a page in the subfolder: <?php..
PHP include/require bug? - Why can't I include/require a file starting with the letter 't'? <?php require "C:\t.php"; ?> [11-Dec-2005 15:55:00] PHP Warning: main(C: .php) [<a href='function.main'>function.main</a>]: failed to open stream: Inv...
include statement - Has anyone ever experienced an issue with an include statement where the included file is processed, however, no further code is processed after the included content? I have used includes for quite a while, however, this is a new one for me. Any..
Cant get include to work... - Hi This may be easy to most of you, but as a newbiw; I'm struggling. I am bringing in an include into a php file, but cant run the commands within the include. As an example, Within my php page I write: {php}include("content/myinclude.php")...
How 2 include meta tags? - Hello, I have a small website and I use the include function for the top head section of each page. This is convenient but all the pages have the same meta tags as a result. I would like to have different meta tags for each page. What it the most.. |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
