Hello,
I am having problems with an include statement. I'm setting a session
variable flag and then including a file, and in that include file I have
a check at the top to make sure that the session variable is set,
otherwise I stop executing and redirect.
My problem is that this works if I use a relative path to the include
file, but not if I use the full path. If I use the full path, it does
not read the session flag as being set, and thus kills the include page.
So basically...
// page 1
$_SESSION['flag'] = "true";
include("../folder2/page2.php"); // this works
include("http://localhost/folder2/page2.php"); // this does not work
// page 2
if(isset($_SESS ION['flag']) && $_SESSION['flag'] == "true")
{
// relative include gets you here
}
else
{
// absolute include gets you here
}
allow_url_fopen is ON in php.ini if that makes any difference, it's the
only thing I could find that seemed like it might affect this?
Also, I read in the manual for header() that:
HTTP/1.1 requires an absolute URI as argument to Location: including the
scheme, hostname and absolute path, but some clients accept relative URIs.
a) All of my header calls involve relative paths and they work, but
should I change them to absolute? Does using relative pose a security risk?
b) Does this also apply to include? Does using relative paths with
include pose a security risk? (I never variables in include or header
statements, even when using relative paths I specify which file to
include/redirect to...)
Thanks a bunch in advance.
Marcus
2  1882 
Marcus (Ju********@aol .com) wrote:
: Hello,
: I am having problems with an include statement. I'm setting a session
: variable flag and then including a file, and in that include file I have
: a check at the top to make sure that the session variable is set,
: otherwise I stop executing and redirect.
: My problem is that this works if I use a relative path to the include
: file, but not if I use the full path. If I use the full path, it does
: not read the session flag as being set, and thus kills the include page.
: So basically...
: // page 1
: $_SESSION['flag'] = "true";
: include("../folder2/page2.php"); // this works
: include("http://localhost/folder2/page2.php"); // this does not work
Your "relative" path is reading the contents of a file directly from the
local file system, whereas your "full path" is asking a web server to
(probably) run a script and send you the results. (Well, it is possible
the web server will send the contents, but since you are accessing your
own files from your own script directory, I doubt that. Instead the
server will try to run the script and return the result, and it is the
result that you are then including into your main script.)
So the two are really very different things.
If you wish to find an include file in a fixed location then you could
simply specify its path as a local file.
include("/this/is/an/absolute/path/folder2/page2.php");
To do this you need to find the full path name of your files on the
server, which is _not_ normally the same as the full path used when you
access them through the web.
Or, yYou could change the file type so that the web server is just sending
you the contents of the script, which is probably what you really want.
I don't think the php include command cares about the file name extension,
as long as the text it receives is valid php then it will use it as php
code, so just rename the file to anything that will make it get returned
as text.
OR, because the server is your own server, then it may be possible for the
"full path" script run and also access the session variables, but to do so
it will have to receive the same session identifiers (as headers or in the
url) that it would receive if a regular browser was accessing it. It will
then use them to find the session file just like a normal php script
might. Presumably you could add then as a query string to the URL of the
include, if there is no other way to control the headers sent with the
include request. Somehow I doubt you really wish to do this.
--
This space not for rent.
Malcolm Dew-Jones wrote: Marcus (Ju********@aol .com) wrote:
: Hello,
: I am having problems with an include statement. I'm setting a session
: variable flag and then including a file, and in that include file I have
: a check at the top to make sure that the session variable is set,
: otherwise I stop executing and redirect.
: My problem is that this works if I use a relative path to the include
: file, but not if I use the full path. If I use the full path, it does
: not read the session flag as being set, and thus kills the include page.
: So basically...
: // page 1
: $_SESSION['flag'] = "true";
: include("../folder2/page2.php"); // this works
: include("http://localhost/folder2/page2.php"); // this does not work
Your "relative" path is reading the contents of a file directly from the
local file system, whereas your "full path" is asking a web server to
(probably) run a script and send you the results. (Well, it is possible
the web server will send the contents, but since you are accessing your
own files from your own script directory, I doubt that. Instead the
server will try to run the script and return the result, and it is the
result that you are then including into your main script.)
So the two are really very different things.
If you wish to find an include file in a fixed location then you could
simply specify its path as a local file.
include("/this/is/an/absolute/path/folder2/page2.php");
To do this you need to find the full path name of your files on the
server, which is _not_ normally the same as the full path used when you
access them through the web.
Or, yYou could change the file type so that the web server is just sending
you the contents of the script, which is probably what you really want.
I don't think the php include command cares about the file name extension,
as long as the text it receives is valid php then it will use it as php
code, so just rename the file to anything that will make it get returned
as text.
OR, because the server is your own server, then it may be possible for the
"full path" script run and also access the session variables, but to do so
it will have to receive the same session identifiers (as headers or in the
url) that it would receive if a regular browser was accessing it. It will
then use them to find the session file just like a normal php script
might. Presumably you could add then as a query string to the URL of the
include, if there is no other way to control the headers sent with the
include request. Somehow I doubt you really wish to do this.
--
This space not for rent.
Malcolm,
Thank you for the reply. Please correct me if I am wrong, but to
summarize, it is ok (i.e. not a security vulnerability) to use relative
path names (with respect to the folder the page calling the include
resides in)? (i.e. the method that I reported working)
With regard to my second question, does anyone know if not specifying a
full absolute path in a header location call has any drawbacks?
Security flaws, weird behavior, etc.
Thanks again. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Web Developer |
last post by:
Hi,
In Java, the package java.lang.*; is automatically imported and provides a
basic set of functionality.
Questions:
1) In C++, are there any include files that are automatically included? or
must I explicitly define one if i want to use a method from a particular
include file?
2) Where can I find a source for all include files? something that shows the
|
by: mescaline |
last post by:
Hi,
Suppose a_file.cpp contains a function a_function()
Now to include it in main_file.cpp I just do #include "a_file.cpp" and
I'm all set.
i recently came across this seemingly roundabout way to do this in 3
steps:
1. Add in main_file.cpp
|
by: atv |
last post by:
Alright, i have some questions concerning include files en global
variables.I hope someone is willing to answer these.
1).Why is it that if i define a global variable in a file, say main.c,
and i have also other functions defined in that file, i can use the
global in all functions, but once i split up the rest of the function in
other files, i cannot use the global? Isn't that strange, all the files
compiled should be treated as one...
|
by: Derrick Coetzee |
last post by:
It seems like, in every C source file I've ever seen, there has been a
very definite include order, as follows:
- include system headers
- include application headers
- include the header associated with this source file
For example, in a file hello.c:
#include <stdio.h>
|
by: Neil Cerutti |
last post by:
In Rob Pike's style guide he urges the following:
Simple rule: include files should never include include
files. If instead they state (in comments or implicitly)
what files they need to have included first, the problem of
deciding which files to include is pushed to the user
(programmer) but in a way that's easy to handle and that,
by construction, avoids multiple inclusions.
I was startled by this guideline, since...
| | |
by: Jon Rea |
last post by:
I am currently cleaning up an application which was origainlly hashed
together with speed of coding in mind and therefore contains quite a few
"hacky" shortcuts.
As part of this "revamping" process I am introducing namespaces to
properly compartmentalise sections of the code into logical units. What
I am speciffically trying to get right is the dependency tree for header
files to reduce compile time and simplify the code structure.
On...
|
by: Salvatore Di Fazio |
last post by:
Hi,
I've an array in an include that is used everywhere in the project.
So to avoid the problem of declaration I made the following solution:
ifndef __UNWALKABLETILES__
#define __UNWALKABLETILES__
#define UNWALKABLETILES 16 /*!< Number of elements in UnwalkableTiles
array. */
|
by: Bill Pursell |
last post by:
I read recently (can't remember if it was on this
group or elsewhere) that it is a bad idea to write
a header file this way:
#ifndef FOO_HDR
#define FOO_HDR 1
#include <stdio.h>
int foo(FILE *i);
|
by: key9 |
last post by:
Hi all
look at the organize tree
main.c
------
#include lib_adapter.c
main()
{
foo();
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
