Re: [PHP] mysterious include problem
Ashley Sheridan schreef:
On Tue, 2009-12-08 at 17:32 +0100, Jochem Maas wrote:
Hi Allen,
gonna be a bit ruthless with you :).
1. your not filtering your input (your open to include being hacked)
2. your not validating or error checking (e.g. does the include file exist??)
3. keeping large numbers of content pages with numerical filenames is a
maintenance
nightmare and incidentally not very SEO friendly
4. your not doing much debugging (I guess) - try using var_dump(), echo,
print_r(),
etc all over your code to figure out what it's doing (e.g. var_dump($_GET,
$_POST) and
print(HELLO - I THINK \$_GET['page'] is set.))
personally I never rely on relative paths - I always have the app determine a
full path to the application root (either at install/update or at the
beginning
of a request)
also I would suggest you use 1 include file for all your scripts (rather than
per dir) ... copy/past code sucks (read up on the DRY principe).
additionally look into FrontController patterns and the possibility to
stuff all that content into a database which gives all sorts of opportunities
for management/editing.
?php
$page= isset($_GET['page']) strlen($_GET['page'])
? basename($_GET['page'])
: null
;
if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
$page = 'default';
$file = dirname(__FILE__) . '/content/' . $page . '.inc';
if (!file_exists($file) || !is_readable($file)) {
error_log('Hack attempt? page = '.$page.', file = '.$file);
header('Status: 404');
exit;
}
// echo header
include $file;
// echo header
?
maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
if so please take time to look it all up ... and then come back with
questions :)
have fun.
Allen McCabe schreef:
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
The SEO factor here is only minor. Very little weight is given to the
filename of a page, much more is given to the content and the way it is
marked up.
'friendly' - i.e. humanreadable URLs are ++
with regard to SEO, I only know it has impact on real estate sites.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysterious include problem
LinuxManMikeC wrote on 2009-12-07 22:48: Instead of hard coding cases you can validate and constrain the input with a regex. Much more flexible when adding content. I would also add code to make sure the file exists, otherwise fall through to the default. In huge sites with a lot of include files I agree, in small sites this solution gives me an overview of the setup. In this case I have an idea that the RegEx solution could be another problem for Allen, but it's just an idea :-) -- Take Care Kim Emax - master|minds - Vi tænker IT for dig... Konsulentbistand, programmering, design hosting af websites. http://www.masterminds.dk - http://www.emax.dk Køb din vin online på http://www.gmvin.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysterious include problem
LinuxManMikeC wrote on 2009-12-07 22:48: Instead of hard coding cases you can validate and constrain the input with a regex. Much more flexible when adding content. I would also add code to make sure the file exists, otherwise fall through to the default. In huge sites with a lot of include files I agree, in small sites this solution gives me an overview of the setup. In this case I have an idea that the RegEx solution could be another problem for Allen, but it's just an idea :-) -- Take Care Kim Emax - master|minds - Vi tænker IT for dig... Konsulentbistand, programmering, design hosting af websites. http://www.masterminds.dk - http://www.emax.dk Køb din vin online på http://www.gmvin.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysterious include problem
Hi Allen,
gonna be a bit ruthless with you :).
1. your not filtering your input (your open to include being hacked)
2. your not validating or error checking (e.g. does the include file exist??)
3. keeping large numbers of content pages with numerical filenames is a
maintenance
nightmare and incidentally not very SEO friendly
4. your not doing much debugging (I guess) - try using var_dump(), echo,
print_r(),
etc all over your code to figure out what it's doing (e.g. var_dump($_GET,
$_POST) and
print(HELLO - I THINK \$_GET['page'] is set.))
personally I never rely on relative paths - I always have the app determine a
full path to the application root (either at install/update or at the beginning
of a request)
also I would suggest you use 1 include file for all your scripts (rather than
per dir) ... copy/past code sucks (read up on the DRY principe).
additionally look into FrontController patterns and the possibility to
stuff all that content into a database which gives all sorts of opportunities
for management/editing.
?php
$page = isset($_GET['page']) strlen($_GET['page'])
? basename($_GET['page'])
: null
;
if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
$page = 'default';
$file = dirname(__FILE__) . '/content/' . $page . '.inc';
if (!file_exists($file) || !is_readable($file)) {
error_log('Hack attempt? page = '.$page.', file = '.$file);
header('Status: 404');
exit;
}
// echo header
include $file;
// echo header
?
maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
if so please take time to look it all up ... and then come back with questions
:)
have fun.
Allen McCabe schreef:
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysterious include problem
On Tue, 2009-12-08 at 17:32 +0100, Jochem Maas wrote:
Hi Allen,
gonna be a bit ruthless with you :).
1. your not filtering your input (your open to include being hacked)
2. your not validating or error checking (e.g. does the include file exist??)
3. keeping large numbers of content pages with numerical filenames is a
maintenance
nightmare and incidentally not very SEO friendly
4. your not doing much debugging (I guess) - try using var_dump(), echo,
print_r(),
etc all over your code to figure out what it's doing (e.g. var_dump($_GET,
$_POST) and
print(HELLO - I THINK \$_GET['page'] is set.))
personally I never rely on relative paths - I always have the app determine a
full path to the application root (either at install/update or at the
beginning
of a request)
also I would suggest you use 1 include file for all your scripts (rather than
per dir) ... copy/past code sucks (read up on the DRY principe).
additionally look into FrontController patterns and the possibility to
stuff all that content into a database which gives all sorts of opportunities
for management/editing.
?php
$page = isset($_GET['page']) strlen($_GET['page'])
? basename($_GET['page'])
: null
;
if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
$page = 'default';
$file = dirname(__FILE__) . '/content/' . $page . '.inc';
if (!file_exists($file) || !is_readable($file)) {
error_log('Hack attempt? page = '.$page.', file = '.$file);
header('Status: 404');
exit;
}
// echo header
include $file;
// echo header
?
maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
if so please take time to look it all up ... and then come back with
questions :)
have fun.
Allen McCabe schreef:
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
The SEO factor here is only minor. Very little weight is given to the
filename of a page, much more is given to the content and the way it is
marked up.
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] mysterious include problem
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
Re: [PHP] mysterious include problem
Hi Allen
Allen McCabe wrote on 2009-12-07 21:03:
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
WOUW! this is a potential security issue!
I can add _any_ parameter to page, incl. an external one, so skip this
and use a switch instead
switch($_GET['page']) {
case admin: $content = content/admin.inc; break;
case member: $content = content/member.inc; break;
default: $content = content/default.inc;
}
What use is $thispage by the way?
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
$_GET['page'] is not set, try and print it to the screen aswell...
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
--
Kind regards
Kim Emax - masterminds.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] mysterious include problem
On Mon, 2009-12-07 at 21:14 +0100, Kim Madsen wrote:
Hi Allen
Allen McCabe wrote on 2009-12-07 21:03:
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
WOUW! this is a potential security issue!
I can add _any_ parameter to page, incl. an external one, so skip this
and use a switch instead
switch($_GET['page']) {
case admin: $content = content/admin.inc; break;
case member: $content = content/member.inc; break;
default: $content = content/default.inc;
}
What use is $thispage by the way?
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
$_GET['page'] is not set, try and print it to the screen aswell...
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
--
Kind regards
Kim Emax - masterminds.dk
Are you sure that the paths are correct, including relative ones?
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] mysterious include problem
Instead of hard coding cases you can validate and constrain the input
with a regex. Much more flexible when adding content. I would also
add code to make sure the file exists, otherwise fall through to the
default.
On Mon, Dec 7, 2009 at 1:14 PM, Kim Madsen php@emax.dk wrote:
Hi Allen
Allen McCabe wrote on 2009-12-07 21:03:
I have been using includes for my content for a while now with no
problems.
Suddenly it has stopped working, and it may or may not be from some
changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
?php
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = default;
$content = 'content/default.inc';
}
WOUW! this is a potential security issue!
I can add _any_ parameter to page, incl. an external one, so skip this and
use a switch instead
switch($_GET['page']) {
case admin: $content = content/admin.inc; break;
case member: $content = content/member.inc; break;
default: $content = content/default.inc;
}
What use is $thispage by the way?
?
html, body, div etc.
?php include($content); ?
I have a content subdirectory where I store all the pages with files such
as
default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
user/default.php or just user/ I get this error:
*Warning*: include(content/.inc)
$_GET['page'] is not set, try and print it to the screen aswell...
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.includehttp://lpacmarketing.hostzi.com/user/function.include]:
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use user/default.php?page=default I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path content/.inc what's going on??
--
Kind regards
Kim Emax - masterminds.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
