|
P: n/a
|
Hello,
I am having problems with an include statement. I'm setting a session
variable flag and then including a file, and in that include file I have
a check at the top to make sure that the session variable is set,
otherwise I stop executing and redirect.
My problem is that this works if I use a relative path to the include
file, but not if I use the full path. If I use the full path, it does
not read the session flag as being set, and thus kills the include page.
So basically...
// page 1
$_SESSION['flag'] = "true";
include("../folder2/page2.php"); // this works
include("http://localhost/folder2/page2.php"); // this does not work
// page 2
if(isset($_SESSION['flag']) && $_SESSION['flag'] == "true")
{
// relative include gets you here
}
else
{
// absolute include gets you here
}
allow_url_fopen is ON in php.ini if that makes any difference, it's the
only thing I could find that seemed like it might affect this?
Also, I read in the manual for header() that:
HTTP/1.1 requires an absolute URI as argument to Location: including the
scheme, hostname and absolute path, but some clients accept relative URIs.
a) All of my header calls involve relative paths and they work, but
should I change them to absolute? Does using relative pose a security risk?
b) Does this also apply to include? Does using relative paths with
include pose a security risk? (I never variables in include or header
statements, even when using relative paths I specify which file to
include/redirect to...)
Thanks a bunch in advance.
Marcus
| |
Share this Question
|
P: n/a
|
Marcus (Ju********@aol.com) wrote:
: Hello,
: I am having problems with an include statement. I'm setting a session
: variable flag and then including a file, and in that include file I have
: a check at the top to make sure that the session variable is set,
: otherwise I stop executing and redirect.
: My problem is that this works if I use a relative path to the include
: file, but not if I use the full path. If I use the full path, it does
: not read the session flag as being set, and thus kills the include page.
: So basically...
: // page 1
: $_SESSION['flag'] = "true";
: include("../folder2/page2.php"); // this works
: include("http://localhost/folder2/page2.php"); // this does not work
Your "relative" path is reading the contents of a file directly from the
local file system, whereas your "full path" is asking a web server to
(probably) run a script and send you the results. (Well, it is possible
the web server will send the contents, but since you are accessing your
own files from your own script directory, I doubt that. Instead the
server will try to run the script and return the result, and it is the
result that you are then including into your main script.)
So the two are really very different things.
If you wish to find an include file in a fixed location then you could
simply specify its path as a local file.
include("/this/is/an/absolute/path/folder2/page2.php");
To do this you need to find the full path name of your files on the
server, which is _not_ normally the same as the full path used when you
access them through the web.
Or, yYou could change the file type so that the web server is just sending
you the contents of the script, which is probably what you really want.
I don't think the php include command cares about the file name extension,
as long as the text it receives is valid php then it will use it as php
code, so just rename the file to anything that will make it get returned
as text.
OR, because the server is your own server, then it may be possible for the
"full path" script run and also access the session variables, but to do so
it will have to receive the same session identifiers (as headers or in the
url) that it would receive if a regular browser was accessing it. It will
then use them to find the session file just like a normal php script
might. Presumably you could add then as a query string to the URL of the
include, if there is no other way to control the headers sent with the
include request. Somehow I doubt you really wish to do this.
--
This space not for rent.
| |
|
P: n/a
|
Malcolm Dew-Jones wrote: Marcus (Ju********@aol.com) wrote:
: Hello,
: I am having problems with an include statement. I'm setting a session
: variable flag and then including a file, and in that include file I have
: a check at the top to make sure that the session variable is set,
: otherwise I stop executing and redirect.
: My problem is that this works if I use a relative path to the include
: file, but not if I use the full path. If I use the full path, it does
: not read the session flag as being set, and thus kills the include page.
: So basically...
: // page 1
: $_SESSION['flag'] = "true";
: include("../folder2/page2.php"); // this works
: include("http://localhost/folder2/page2.php"); // this does not work
Your "relative" path is reading the contents of a file directly from the
local file system, whereas your "full path" is asking a web server to
(probably) run a script and send you the results. (Well, it is possible
the web server will send the contents, but since you are accessing your
own files from your own script directory, I doubt that. Instead the
server will try to run the script and return the result, and it is the
result that you are then including into your main script.)
So the two are really very different things.
If you wish to find an include file in a fixed location then you could
simply specify its path as a local file.
include("/this/is/an/absolute/path/folder2/page2.php");
To do this you need to find the full path name of your files on the
server, which is _not_ normally the same as the full path used when you
access them through the web.
Or, yYou could change the file type so that the web server is just sending
you the contents of the script, which is probably what you really want.
I don't think the php include command cares about the file name extension,
as long as the text it receives is valid php then it will use it as php
code, so just rename the file to anything that will make it get returned
as text.
OR, because the server is your own server, then it may be possible for the
"full path" script run and also access the session variables, but to do so
it will have to receive the same session identifiers (as headers or in the
url) that it would receive if a regular browser was accessing it. It will
then use them to find the session file just like a normal php script
might. Presumably you could add then as a query string to the URL of the
include, if there is no other way to control the headers sent with the
include request. Somehow I doubt you really wish to do this.
--
This space not for rent.
Malcolm,
Thank you for the reply. Please correct me if I am wrong, but to
summarize, it is ok (i.e. not a security vulnerability) to use relative
path names (with respect to the folder the page calling the include
resides in)? (i.e. the method that I reported working)
With regard to my second question, does anyone know if not specifying a
full absolute path in a header location call has any drawbacks?
Security flaws, weird behavior, etc.
Thanks again. | | This discussion thread is closed Replies have been disabled for this discussion. | |  Question stats - viewed: 1526
- replies: 2
- date asked: Jul 17 '05
|
