Include with variables - why does this work ?

TMN wrote:

Hi All

I am new to PHP and I do not understand why the following works ??

$file=urlencode("displayIncidents.php");
echo "<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br />";

When this link is selected the statistics.php simply includes the file
that passed to it - but why does it find the file and not try to load
the literal 'fileName=$file&delete=true' (that obviously does not
exist) ?

Hi,

We cannot say what statistics.php will do with the contents in the url
because you didn't show any code from that file.

But what you do here is simply creating an URL.
urlencode takes a string and transforms it to a form that can be passed
through a url, as you did.
Nothing more nothing less.

So what happens is:
1) your variable $file contains 'displayIncidents.php'
2) you echo:
<a href=statistics.php?fileName=$file&delete=true>Del ete Incident</a><br/>

where $file gets replaced by the value in $file, so you get:

<a href=statistics.php?fileName=displayIncidents.php& delete=true>
Delete Incident</a><br/>

This happens because you put a variablename into "", it gets replaced.
If you use '' this will not happen.

consider the following code:
$myvar = "John";
echo "Hi $myVar";
// will produce: Hi John

Regards,
Erwin Moller

>
thanks
Tim

Thanks - I should have include the statistics code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

thanks
Tim
Erwin Moller wrote:

TMN wrote:

Hi All

I am new to PHP and I do not understand why the following works ??

$file=urlencode("displayIncidents.php");
echo "<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br />";

When this link is selected the statistics.php simply includes the file
that passed to it - but why does it find the file and not try to load
the literal 'fileName=$file&delete=true' (that obviously does not
exist) ?

Hi,

We cannot say what statistics.php will do with the contents in the url
because you didn't show any code from that file.

But what you do here is simply creating an URL.
urlencode takes a string and transforms it to a form that can be passed
through a url, as you did.
Nothing more nothing less.

So what happens is:
1) your variable $file contains 'displayIncidents.php'
2) you echo:
<a href=statistics.php?fileName=$file&delete=true>Del ete Incident</a><br/>

where $file gets replaced by the value in $file, so you get:

<a href=statistics.php?fileName=displayIncidents.php& delete=true>
Delete Incident</a><br/>

This happens because you put a variablename into "", it gets replaced.
If you use '' this will not happen.

consider the following code:
$myvar = "John";
echo "Hi $myVar";
// will produce: Hi John

Regards,
Erwin Moller

thanks
Tim

TMN wrote:

Thanks - I should have include the statistics code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

No, in $_GET['fileName'] is only displayIncidents.php at this point. The
ampersand divides the GET variables. So, $_GET['delete'] == 'true' (the
string true) at this point. If you want to have the
'displayIncidents.php&delete=true' in one GET variable fileName, you should
(raw)urlencode all of it, this means including the & and =.
--
Rik Wasmus

TMN wrote:

answer: Because it destroys the order of the conversation.
question: Why?
anser: Topposting
question: What is the most annoying thing on Usenet?

Thanks - I should have include the statistics code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

No, that is simply because your URL contains a few name-value pairs,
seperated by &.
You extract one of them, as you did, via $_GET["somename"].

The URLencoding only make sure that the value you are posting is valid for
passing around via url.
An example:

[BAD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=$value1&$name2=$value2";

This will end up with the following url:
test.php?question=How do I pass strange stuff around? (like
this:&%#)&username=Jim Johnson

Which will surely fail.

[GOOD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=".urlencode($value1)."&$name2=".urlendode ($value2);

This will end up with an url that replaced all naughty characters with
url-encoded characters tat are OK to use in an url.

Hope that helps.

Regards,
Erwin Moller

>
thanks
Tim
Erwin Moller wrote:

>TMN wrote:

Hi All

I am new to PHP and I do not understand why the following works ??

$file=urlencode("displayIncidents.php");
echo "<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br />";

When this link is selected the statistics.php simply includes the file
that passed to it - but why does it find the file and not try to load
the literal 'fileName=$file&delete=true' (that obviously does not
exist) ?

Hi,

We cannot say what statistics.php will do with the contents in the url
because you didn't show any code from that file.

But what you do here is simply creating an URL.
urlencode takes a string and transforms it to a form that can be passed
through a url, as you did.
Nothing more nothing less.

So what happens is:
1) your variable $file contains 'displayIncidents.php'
2) you echo:
<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br/>

where $file gets replaced by the value in $file, so you get:

<a href=statistics.php?fileName=displayIncidents.php& delete=true>
Delete Incident</a><br/>

This happens because you put a variablename into "", it gets replaced.
If you use '' this will not happen.

consider the following code:
$myvar = "John";
echo "Hi $myVar";
// will produce: Hi John

Regards,
Erwin Moller

>
thanks
Tim

Erwin Moller wrote:

TMN wrote:

answer: Because it destroys the order of the conversation.
question: Why?
anser: Topposting
question: What is the most annoying thing on Usenet?

Thanks - I should have include the statistics code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

No, that is simply because your URL contains a few name-value pairs,
seperated by &.
You extract one of them, as you did, via $_GET["somename"].

The URLencoding only make sure that the value you are posting is valid for
passing around via url.
An example:

[BAD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=$value1&$name2=$value2";

This will end up with the following url:
test.php?question=How do I pass strange stuff around? (like
this:&%#)&username=Jim Johnson

Which will surely fail.

[GOOD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=".urlencode($value1)."&$name2=".urlendode ($value2);

This will end up with an url that replaced all naughty characters with
url-encoded characters tat are OK to use in an url.

Hope that helps.

Regards,
Erwin Moller

thanks
Tim
Erwin Moller wrote:

TMN wrote:

Hi All

I am new to PHP and I do not understand why the following works ??

$file=urlencode("displayIncidents.php");
echo "<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br />";

When this link is selected the statistics.php simply includes the file
that passed to it - but why does it find the file and not try to load
the literal 'fileName=$file&delete=true' (that obviously does not
exist) ?

Hi,

We cannot say what statistics.php will do with the contents in the url
because you didn't show any code from that file.

But what you do here is simply creating an URL.
urlencode takes a string and transforms it to a form that can be passed
through a url, as you did.
Nothing more nothing less.

So what happens is:
1) your variable $file contains 'displayIncidents.php'
2) you echo:
<a href=statistics.php?fileName=$file&delete=true>Del ete
Incident</a><br/>

where $file gets replaced by the value in $file, so you get:

<a href=statistics.php?fileName=displayIncidents.php& delete=true>
Delete Incident</a><br/>

This happens because you put a variablename into "", it gets replaced.
If you use '' this will not happen.

consider the following code:
$myvar = "John";
echo "Hi $myVar";
// will produce: Hi John

Regards,
Erwin Moller

thanks
Tim

No more top posting for me !!!!!

Thanks for the explanation - in displayIncidents.php I can do this:
$showDelete = $_GET["delete"];
So the php function "include" knows to parse the name-value pairs and
the url ?

thanks
Tim

TMN wrote:

Erwin Moller wrote:

>>The include works and finds 'displayIncidents.php' instead of
trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

No, that is simply because your URL contains a few name-value pairs,
seperated by &.
You extract one of them, as you did, via $_GET["somename"].

The URLencoding only make sure that the value you are posting is
valid for passing around via url.

[GOOD]
$url .= "?$name1=".urlencode($value1)."&$name2=".urlendode ($value2);

This will end up with an url that replaced all naughty characters
with url-encoded characters tat are OK to use in an url.

No more top posting for me !!!!!

Hear, hear! :-)

Thanks for the explanation - in displayIncidents.php I can do this:
$showDelete = $_GET["delete"];
So the php function "include" knows to parse the name-value pairs and
the url ?

The variables are already parsed at the beginning. All variables in the
scope the include is called in (so global scope if called in global, the
scope of a function if called in that) are available to the included
script.

Furthermore, the $_GET ($_POST/$_SERVER/$_SESSION/$_REQUEST/$_ENV) are
'superglobals', which means you can access them directly from any point in
the script(s), they're always in scope.
--
Rik Wasmus

TMN wrote:

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

PHP takes a query string, e.g. the part after the question mark in:

http://example.net/foo.php?a=1&b=2&c=3

and splits it up using ampersands (although it can be configured to
use different characters instead/as well) like this:

a=1
b=2
c=3

and then uses these to populate a global array called $_GET, such that:

$_GET['a'] = 1;
$_GET['b'] = 2;
$_GET['c'] = 3;

This $_GET array can now be accessed by "foo.php" and used as it likes.
(foo.php is also able to access the raw, unprocessed query string, but
this is not usually very useful.)

In your example, statistics.php sees:

$_GET['fileName'] = 'displayIncidents.php';
$_GET['delete'] = 'true';

so the following code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

works.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Toby Inkster wrote:

TMN wrote:

The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

PHP takes a query string, e.g. the part after the question mark in:

http://example.net/foo.php?a=1&b=2&c=3

and splits it up using ampersands (although it can be configured to
use different characters instead/as well) like this:

a=1
b=2
c=3

and then uses these to populate a global array called $_GET, such that:

$_GET['a'] = 1;
$_GET['b'] = 2;
$_GET['c'] = 3;

This $_GET array can now be accessed by "foo.php" and used as it likes.
(foo.php is also able to access the raw, unprocessed query string, but
this is not usually very useful.)

In your example, statistics.php sees:

$_GET['fileName'] = 'displayIncidents.php';
$_GET['delete'] = 'true';

so the following code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

works.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Thanks again that is a very clear explanation...

Tim
South Africa

TMN wrote:

Toby Inkster wrote:

>TMN wrote:

>>The include works and finds 'displayIncidents.php' instead of trying
to find 'displayIncidents.php&delete=true' - is this because I used
urlencode ?

PHP takes a query string, e.g. the part after the question mark in:

http://example.net/foo.php?a=1&b=2&c=3

and splits it up using ampersands (although it can be configured to
use different characters instead/as well) like this:

a=1
b=2
c=3

and then uses these to populate a global array called $_GET, such that:

$_GET['a'] = 1;
$_GET['b'] = 2;
$_GET['c'] = 3;

This $_GET array can now be accessed by "foo.php" and used as it likes.
(foo.php is also able to access the raw, unprocessed query string, but
this is not usually very useful.)

In your example, statistics.php sees:

$_GET['fileName'] = 'displayIncidents.php';
$_GET['delete'] = 'true';

so the following code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

works.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Thanks again that is a very clear explanation...

Tim
South Africa

As no one else has pointed it out (though it should be obvious)...

Doing include($file) without any validation of $file would be a big bad
security hole.

Robin

Robin wrote:

As no one else has pointed it out (though it should be obvious)...

Doing include($file) without any validation of $file would be a big
bad security hole.

It never even occured to me to include files I did not write myself :P

Validating a file is very difficult, you'll have to check it by hand.
--
Rik Wasmus

Rik wrote:

It never even occured to me to include files I did not write myself :P
Validating a file is very difficult, you'll have to check it by hand.

Don't validate the file itself -- validate the filename! For example,
check that the filename doesn't include any slashes, backslashes or colons
and you should be sorted.

$file=$_GET['fileName'];
if (preg_match('/[\/\\\:]/', $file))
die("Dirty, rotten scoundrel!");
echo "Requested File is: ".$file;
include($file);

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Toby Inkster wrote:

Rik wrote:

>It never even occured to me to include files I did not write myself
:P Validating a file is very difficult, you'll have to check it by
hand.

Don't validate the file itself -- validate the filename! For example,
check that the filename doesn't include any slashes, backslashes or
colons and you should be sorted.

$file=$_GET['fileName'];
if (preg_match('/[\/\\\:]/', $file))
die("Dirty, rotten scoundrel!");
echo "Requested File is: ".$file;
include($file);

DOH! Offcourse that was what was meant... Haven't used constructions like
this in a while.

I'd whitelist the filename, but this would work also offcourse.
--
Rik Wasmus