mysterious include problem
am 07.12.2009 21:03:52 von Allen McCabe--00504502b22ee8a714047a28f4bf
Content-Type: text/plain; charset=ISO-8859-1
I have been using includes for my content for a while now with no problems.
Suddenly it has stopped working, and it may or may not be from some changes
I made in my code structure.
I use default.php for most or all of my pages within a given directory,
changing the content via page numbers in the query string.
So on default.php, I have the following code:
if(isset($_GET['page']))
{
$thispage = $_GET['page'];
$content = 'content/'.$_GET['page'].'.inc';
}
else
{
$thispage = "default";
$content = 'content/default.inc';
}
?>
,
I have a content subdirectory where I store all the pages with files such as
"default.inc, 101.inc, 102.inc, etc.
As I said, this has been working fine up until now, if I use the url
"user/default.php" or just "user/" I get this error:
*Warning*: include(content/.inc)
[function.include
failed to open stream: No such file or directory in *
/home/a9066165/public_html/user/default.php* on line *89*
AND
*Warning*: include()
[function.include
Failed opening 'content/.inc' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in *
/home/a9066165/public_html/user/default.php* on line *89*
But if I use "user/default.php?page=default" I get the correct content.
It's acting as if page is set, but set to NULL, and then trying to find an
include at path "content/.inc" what's going on??
--00504502b22ee8a714047a28f4bf--
Re: mysterious include problem
am 07.12.2009 21:14:28 von Kim MadsenHi Allen
Allen McCabe wrote on 2009-12-07 21:03:
> I have been using includes for my content for a while now with no problems.
> Suddenly it has stopped working, and it may or may not be from some changes
> I made in my code structure.
>
> I use default.php for most or all of my pages within a given directory,
> changing the content via page numbers in the query string.
>
>
> So on default.php, I have the following code:
>
>
>
> if(isset($_GET['page']))
> {
> $thispage = $_GET['page'];
> $content = 'content/'.$_GET['page'].'.inc';
> }
> else
> {
> $thispage = "default";
> $content = 'content/default.inc';
> }
WOUW! this is a potential security issue!
I can add _any_ parameter to page, incl. an external one, so skip this
and use a switch instead
switch($_GET['page']) {
case "admin": $content = "content/admin.inc"; break;
case "member": $content = "content/member.inc"; break;
default: $content = "content/default.inc";
}
What use is $thispage by the way?
> ?>
> ,
>
>
>
> I have a content subdirectory where I store all the pages with files such as
> "default.inc, 101.inc, 102.inc, etc.
>
> As I said, this has been working fine up until now, if I use the url
> "user/default.php" or just "user/" I get this error:
>
>
> *Warning*: include(content/.inc)
$_GET['page'] is not set, try and print it to the screen aswell...
> [function.include
> failed to open stream: No such file or directory in *
> /home/a9066165/public_html/user/default.php* on line *89*
>
> AND
>
> *Warning*: include()
> [function.include
> Failed opening 'content/.inc' for inclusion
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in *
> /home/a9066165/public_html/user/default.php* on line *89*
>
> But if I use "user/default.php?page=default" I get the correct content.
>
> It's acting as if page is set, but set to NULL, and then trying to find an
> include at path "content/.inc" what's going on??
>
--
Kind regards
Kim Emax - masterminds.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: mysterious include problem
am 07.12.2009 21:18:52 von Ashley Sheridan--=-+yhQMm2H5/dHjR+JSjeO
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Mon, 2009-12-07 at 21:14 +0100, Kim Madsen wrote:
> Hi Allen
>
> Allen McCabe wrote on 2009-12-07 21:03:
> > I have been using includes for my content for a while now with no problems.
> > Suddenly it has stopped working, and it may or may not be from some changes
> > I made in my code structure.
> >
> > I use default.php for most or all of my pages within a given directory,
> > changing the content via page numbers in the query string.
> >
> >
> > So on default.php, I have the following code:
> >
> >
> >
> > if(isset($_GET['page']))
> > {
> > $thispage = $_GET['page'];
> > $content = 'content/'.$_GET['page'].'.inc';
> > }
> > else
> > {
> > $thispage = "default";
> > $content = 'content/default.inc';
> > }
>
> WOUW! this is a potential security issue!
>
> I can add _any_ parameter to page, incl. an external one, so skip this
> and use a switch instead
>
> switch($_GET['page']) {
> case "admin": $content = "content/admin.inc"; break;
> case "member": $content = "content/member.inc"; break;
> default: $content = "content/default.inc";
> }
>
> What use is $thispage by the way?
>
> > ?>
> > ,
> >
> >
> >
> > I have a content subdirectory where I store all the pages with files such as
> > "default.inc, 101.inc, 102.inc, etc.
> >
> > As I said, this has been working fine up until now, if I use the url
> > "user/default.php" or just "user/" I get this error:
> >
> >
> > *Warning*: include(content/.inc)
>
> $_GET['page'] is not set, try and print it to the screen aswell...
>
> > [function.include
> > failed to open stream: No such file or directory in *
> > /home/a9066165/public_html/user/default.php* on line *89*
> >
> > AND
> >
> > *Warning*: include()
> > [function.include
> > Failed opening 'content/.inc' for inclusion
> > (include_path='.:/usr/lib/php:/usr/local/lib/php') in *
> > /home/a9066165/public_html/user/default.php* on line *89*
> >
> > But if I use "user/default.php?page=default" I get the correct content.
> >
> > It's acting as if page is set, but set to NULL, and then trying to find an
> > include at path "content/.inc" what's going on??
> >
>
>
> --
> Kind regards
> Kim Emax - masterminds.dk
>
Are you sure that the paths are correct, including relative ones?
Thanks,
Ash
http://www.ashleysheridan.co.uk
--=-+yhQMm2H5/dHjR+JSjeO--
Re: mysterious include problem
am 07.12.2009 22:48:28 von LinuxManMikeCInstead of hard coding cases you can validate and constrain the input --=-Du7NjKnszzAmefoQo2T3 Hi Allen, Ashley Sheridan schreef: LinuxManMikeC wrote on 2009-12-07 22:48: LinuxManMikeC wrote on 2009-12-07 22:48:
with a regex. Much more flexible when adding content. I would also
add code to make sure the file exists, otherwise fall through to the
default.
On Mon, Dec 7, 2009 at 1:14 PM, Kim Madsen
> Hi Allen
>
> Allen McCabe wrote on 2009-12-07 21:03:
>>
>> I have been using includes for my content for a while now with no
>> problems.
>> Suddenly it has stopped working, and it may or may not be from some
>> changes
>> I made in my code structure.
>>
>> I use default.php for most or all of my pages within a given directory,
>> changing the content via page numbers in the query string.
>>
>>
>> So on default.php, I have the following code:
>>
>>
>>
>> if(isset($_GET['page']))
>> {
>> Â $thispage =3D $_GET['page'];
>> Â $content =3D 'content/'.$_GET['page'].'.inc';
>> }
>
>> else
>> {
>> Â $thispage =3D "default";
>> Â $content =3D 'content/default.inc';
>> }
>
> WOUW! this is a potential security issue!
>
> I can add _any_ parameter to page, incl. an external one, so skip this an=
d
> use a switch instead
>
> switch($_GET['page']) {
> Â case "admin": $content =3D "content/admin.inc"; break;
> Â case "member": $content =3D "content/member.inc"; break;
> Â default: $content =3D "content/default.inc";
> }
>
> What use is $thispage by the way?
>
>> ?>
>> , ,
>>
>>
>>
>> I have a content subdirectory where I store all the pages with files suc=
h
>> as
>> "default.inc, 101.inc, 102.inc, etc.
>>
>> As I said, this has been working fine up until now, if I use the url
>> "user/default.php" or just "user/" I get this error:
>>
>>
>> *Warning*: include(content/.inc)
>
> $_GET['page'] is not set, try and print it to the screen aswell...
>
>> [function.include
]:
>> failed to open stream: No such file or directory in *
>> /home/a9066165/public_html/user/default.php* on line *89*
>>
>> AND
>>
>> *Warning*: include()
>> [function.include
]:
>> Failed opening 'content/.inc' for inclusion
>> (include_path=3D'.:/usr/lib/php:/usr/local/lib/php') in *
>> /home/a9066165/public_html/user/default.php* on line *89*
>>
>> But if I use "user/default.php?page=3Ddefault" Â I get the correct c=
ontent.
>>
>> It's acting as if page is set, but set to NULL, and then trying to find =
an
>> include at path "content/.inc" Â what's going on??
>>
>
>
> --
> Kind regards
> Kim Emax - masterminds.dk
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: mysterious include problem
am 08.12.2009 17:32:37 von Ashley Sheridan
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Tue, 2009-12-08 at 17:32 +0100, Jochem Maas wrote:
> Hi Allen,
>
> gonna be a bit ruthless with you :).
>
> 1. your not filtering your input (your open to include being hacked)
> 2. your not validating or error checking (e.g. does the include file exist??)
> 3. keeping large numbers of content pages with numerical filenames is a maintenance
> nightmare and incidentally not very SEO friendly
> 4. your not doing much debugging (I guess) - try using var_dump(), echo, print_r(),
> etc all over your code to figure out what it's doing (e.g. var_dump($_GET, $_POST) and
> print("HELLO - I THINK \$_GET['page'] is set."))
>
> personally I never rely on relative paths - I always have the app determine a
> full path to the application root (either at install/update or at the beginning
> of a request)
>
> also I would suggest you use 1 include file for all your scripts (rather than
> per dir) ... copy/past code sucks (read up on the DRY principe).
>
> additionally look into FrontController patterns and the possibility to
> stuff all that content into a database which gives all sorts of opportunities
> for management/editing.
>
>
>
> $page = isset($_GET['page']) && strlen($_GET['page'])
> ? basename($_GET['page'])
> : null
> ;
>
> if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
> $page = 'default';
>
> $file = dirname(__FILE__) . '/content/' . $page . '.inc';
>
> if (!file_exists($file) || !is_readable($file)) {
> error_log('Hack attempt? page = '.$page.', file = '.$file);
> header('Status: 404');
> exit;
> }
>
> // echo header
> include $file;
> // echo header
>
> ?>
>
> maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
> if so please take time to look it all up ... and then come back with questions :)
>
> have fun.
>
> Allen McCabe schreef:
> > I have been using includes for my content for a while now with no problems.
> > Suddenly it has stopped working, and it may or may not be from some changes
> > I made in my code structure.
> >
> > I use default.php for most or all of my pages within a given directory,
> > changing the content via page numbers in the query string.
> >
> >
> > So on default.php, I have the following code:
> >
> >
> >
> > if(isset($_GET['page']))
> > {
> > $thispage = $_GET['page'];
> > $content = 'content/'.$_GET['page'].'.inc';
> > }
> > else
> > {
> > $thispage = "default";
> > $content = 'content/default.inc';
> > }
> > ?>
> > ,
> >
> >
> >
> > I have a content subdirectory where I store all the pages with files such as
> > "default.inc, 101.inc, 102.inc, etc.
> >
> > As I said, this has been working fine up until now, if I use the url
> > "user/default.php" or just "user/" I get this error:
> >
> >
> > *Warning*: include(content/.inc)
> > [function.include
> > failed to open stream: No such file or directory in *
> > /home/a9066165/public_html/user/default.php* on line *89*
> >
> > AND
> >
> > *Warning*: include()
> > [function.include
> > Failed opening 'content/.inc' for inclusion
> > (include_path='.:/usr/lib/php:/usr/local/lib/php') in *
> > /home/a9066165/public_html/user/default.php* on line *89*
> >
> > But if I use "user/default.php?page=default" I get the correct content.
> >
> > It's acting as if page is set, but set to NULL, and then trying to find an
> > include at path "content/.inc" what's going on??
> >
>
>
The SEO factor here is only minor. Very little weight is given to the
filename of a page, much more is given to the content and the way it is
marked up.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--=-Du7NjKnszzAmefoQo2T3--
Re: mysterious include problem
am 08.12.2009 17:32:53 von Jochem Maas
gonna be a bit ruthless with you :).
1. your not filtering your input (your open to include being hacked)
2. your not validating or error checking (e.g. does the include file exist??)
3. keeping large numbers of content pages with numerical filenames is a maintenance
nightmare and incidentally not very SEO friendly
4. your not doing much debugging (I guess) - try using var_dump(), echo, print_r(),
etc all over your code to figure out what it's doing (e.g. var_dump($_GET, $_POST) and
print("HELLO - I THINK \$_GET['page'] is set."))
personally I never rely on relative paths - I always have the app determine a
full path to the application root (either at install/update or at the beginning
of a request)
also I would suggest you use 1 include file for all your scripts (rather than
per dir) ... copy/past code sucks (read up on the DRY principe).
additionally look into FrontController patterns and the possibility to
stuff all that content into a database which gives all sorts of opportunities
for management/editing.
$page = isset($_GET['page']) && strlen($_GET['page'])
? basename($_GET['page'])
: null
;
if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
$page = 'default';
$file = dirname(__FILE__) . '/content/' . $page . '.inc';
if (!file_exists($file) || !is_readable($file)) {
error_log('Hack attempt? page = '.$page.', file = '.$file);
header('Status: 404');
exit;
}
// echo header
include $file;
// echo header
?>
maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
if so please take time to look it all up ... and then come back with questions :)
have fun.
Allen McCabe schreef:
> I have been using includes for my content for a while now with no problems.
> Suddenly it has stopped working, and it may or may not be from some changes
> I made in my code structure.
>
> I use default.php for most or all of my pages within a given directory,
> changing the content via page numbers in the query string.
>
>
> So on default.php, I have the following code:
>
>
>
> if(isset($_GET['page']))
> {
> $thispage = $_GET['page'];
> $content = 'content/'.$_GET['page'].'.inc';
> }
> else
> {
> $thispage = "default";
> $content = 'content/default.inc';
> }
> ?>
> ,
>
>
>
> I have a content subdirectory where I store all the pages with files such as
> "default.inc, 101.inc, 102.inc, etc.
>
> As I said, this has been working fine up until now, if I use the url
> "user/default.php" or just "user/" I get this error:
>
>
> *Warning*: include(content/.inc)
> [function.include
> failed to open stream: No such file or directory in *
> /home/a9066165/public_html/user/default.php* on line *89*
>
> AND
>
> *Warning*: include()
> [function.include
> Failed opening 'content/.inc' for inclusion
> (include_path='.:/usr/lib/php:/usr/local/lib/php') in *
> /home/a9066165/public_html/user/default.php* on line *89*
>
> But if I use "user/default.php?page=default" I get the correct content.
>
> It's acting as if page is set, but set to NULL, and then trying to find an
> include at path "content/.inc" what's going on??
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: mysterious include problem
am 10.12.2009 19:59:36 von Jochem Maas
> On Tue, 2009-12-08 at 17:32 +0100, Jochem Maas wrote:
>
>> Hi Allen,
>>
>> gonna be a bit ruthless with you :).
>>
>> 1. your not filtering your input (your open to include being hacked)
>> 2. your not validating or error checking (e.g. does the include file exist??)
>> 3. keeping large numbers of content pages with numerical filenames is a maintenance
>> nightmare and incidentally not very SEO friendly
>> 4. your not doing much debugging (I guess) - try using var_dump(), echo, print_r(),
>> etc all over your code to figure out what it's doing (e.g. var_dump($_GET, $_POST) and
>> print("HELLO - I THINK \$_GET['page'] is set."))
>>
>> personally I never rely on relative paths - I always have the app determine a
>> full path to the application root (either at install/update or at the beginning
>> of a request)
>>
>> also I would suggest you use 1 include file for all your scripts (rather than
>> per dir) ... copy/past code sucks (read up on the DRY principe).
>>
>> additionally look into FrontController patterns and the possibility to
>> stuff all that content into a database which gives all sorts of opportunities
>> for management/editing.
>>
>>
>>
>> $page = isset($_GET['page']) && strlen($_GET['page'])
>> ? basename($_GET['page'])
>> : null
>> ;
>>
>> if (!$page || !preg_match('#^[a-z0-9]+$#i', $page))
>> $page = 'default';
>>
>> $file = dirname(__FILE__) . '/content/' . $page . '.inc';
>>
>> if (!file_exists($file) || !is_readable($file)) {
>> error_log('Hack attempt? page = '.$page.', file = '.$file);
>> header('Status: 404');
>> exit;
>> }
>>
>> // echo header
>> include $file;
>> // echo header
>>
>> ?>
>>
>> maybe I've bombarded you with unfamiliar concepts, functions and/or syntax.
>> if so please take time to look it all up ... and then come back with questions :)
>>
>> have fun.
>>
>> Allen McCabe schreef:
>>> I have been using includes for my content for a while now with no problems.
>>> Suddenly it has stopped working, and it may or may not be from some changes
>>> I made in my code structure.
>>>
>>> I use default.php for most or all of my pages within a given directory,
>>> changing the content via page numbers in the query string.
>>>
>>>
>>> So on default.php, I have the following code:
>>>
>>>
>>>
>>> if(isset($_GET['page']))
>>> {
>>> $thispage = $_GET['page'];
>>> $content = 'content/'.$_GET['page'].'.inc';
>>> }
>>> else
>>> {
>>> $thispage = "default";
>>> $content = 'content/default.inc';
>>> }
>>> ?>
>>> ,
>>>
>>>
>>>
>>> I have a content subdirectory where I store all the pages with files such as
>>> "default.inc, 101.inc, 102.inc, etc.
>>>
>>> As I said, this has been working fine up until now, if I use the url
>>> "user/default.php" or just "user/" I get this error:
>>>
>>>
>>> *Warning*: include(content/.inc)
>>> [function.include
>>> failed to open stream: No such file or directory in *
>>> /home/a9066165/public_html/user/default.php* on line *89*
>>>
>>> AND
>>>
>>> *Warning*: include()
>>> [function.include
>>> Failed opening 'content/.inc' for inclusion
>>> (include_path='.:/usr/lib/php:/usr/local/lib/php') in *
>>> /home/a9066165/public_html/user/default.php* on line *89*
>>>
>>> But if I use "user/default.php?page=default" I get the correct content.
>>>
>>> It's acting as if page is set, but set to NULL, and then trying to find an
>>> include at path "content/.inc" what's going on??
>>>
>>
>
>
> The SEO factor here is only minor. Very little weight is given to the
> filename of a page, much more is given to the content and the way it is
> marked up.
'friendly' - i.e. humanreadable URLs are ++
with regard to SEO, I only know it has impact on real estate sites.
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: mysterious include problem
am 10.12.2009 21:12:43 von Kim Emax
> Instead of hard coding cases you can validate and constrain the input
> with a regex. Much more flexible when adding content. I would also
> add code to make sure the file exists, otherwise fall through to the
> default.
In huge sites with a lot of include files I agree, in small sites this
solution gives me an overview of the setup.
In this case I have an idea that the RegEx solution could be another
problem for Allen, but it's just an idea :-)
--
Take Care
Kim Emax - master|minds - Vi tænker IT for dig...
Konsulentbistand, programmering, design & hosting af websites.
http://www.masterminds.dk - http://www.emax.dk
Køb din vin online på http://www.gmvin.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.phpRe: mysterious include problem
am 10.12.2009 21:13:47 von Kim Madsen
> Instead of hard coding cases you can validate and constrain the input
> with a regex. Much more flexible when adding content. I would also
> add code to make sure the file exists, otherwise fall through to the
> default.
In huge sites with a lot of include files I agree, in small sites this
solution gives me an overview of the setup.
In this case I have an idea that the RegEx solution could be another
problem for Allen, but it's just an idea :-)
--
Take Care
Kim Emax - master|minds - Vi tænker IT for dig...
Konsulentbistand, programmering, design & hosting af websites.
http://www.masterminds.dk - http://www.emax.dk
Køb din vin online på http://www.gmvin.dk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php