SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Thread: include file

  1. #1
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    include file

    hi,

    i have to include a file name with L'ornement. i do it with
    Code:
    include "L'ornement.php";
    If i do it i get the following error..
    Code:
    Warning: include(L\'ornement.php) [function.include]: failed to open stream: No such file or directory in ...
    but i have a file with L'ornement.php, help please.

  2. #2
    SitePoint Addict CWebguy's Avatar
    Join Date
    Mar 2009
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    did you try

    include ("L'ornement.php");

    ?

  3. #3
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, i tried with
    include ("L'ornement.php");
    also it gives warning message doesnot include the file

  4. #4
    SitePoint Addict CWebguy's Avatar
    Join Date
    Mar 2009
    Posts
    247
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can try to escape the character

    include ("L\'ornement.php");

    or

    include ('L\'ornement.php');

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you really doing this?
    PHP Code:
    include "L'ornement.php"
    Or this?
    PHP Code:
    include $var

  6. #6
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i am trying to add that file with
    include "$var";

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is why your quote gets escaped.
    http://www.php.net/magic_quotes

    Be warned, passing user input to filesystem functions such as include(), is extremely dangerous. You're very likely to get your server hacked. You would be much better off defining a specific list of allowed files which you will include and using a switch, or array to verify the filename is allowed.

  8. #8
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can i include file by using
    Code:
    $var=stripslashes($var);
    include "$var";
    Is there is any issue by adding it like this? can i add so?

  9. #9
    SitePoint Member
    Join Date
    Dec 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The simple way is to not use ' in the name of included file L'ornement.php
    Yes, i think your last solutiion will work .

  10. #10
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, to guard against the server settings changing in the future, you might want to do:
    PHP Code:
    $var get_magic_quotes_gpc() ? stripslashes($var) : $var;
    include 
    $var
    Although if you have many variables incoming, you're better off writing a function to undo the quote escaping for *all* input.

    The best course of action, however, is just to downright disable magic_quotes_gpc:

    If you have access to the PHP configuration file, change the appropriate line to this:
    Code:
    magic_quotes_gpc = Off
    If you are unable to do that, but you are on an Apache server with .htaccess support, you can insert the following into an .htaccess file:
    Code:
    php_flag magic_quotes_gpc Off
    However, if you disable magic_quotes_gpc, be aware that null characters (\0) will no longer be converted to a literal "\0", meaning that you will need to remove them yourself. While PHP handles fine with null characters, the underlying operating system file access API will truncate everything after the null character ("secret/test.php\0.txt" => "secret/test.php").

    On top of all of this, I hope that $var is not directly from user input. Otherwise, a malicious user can set $var to a remote URL containing PHP code to be included by your script.

  11. #11
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, from your answers can i conclude as that there is security issues by using stripslashes($var);

  12. #12
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, there is security issues by using user input without properly validating it. Especially if feeding the input to filesystem functions.

  13. #13
    SitePoint Addict
    Join Date
    Oct 2008
    Posts
    204
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks again, yes my previous response says there is security issue by using stripslashes function

  14. #14
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is no security issue with using stripslashes().


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •