Geek Answers Handbook

Include () Why shouldn't I use it?

I am working on an old mysql php book written in 2003. The author uses the include () function to build html pages, including header.inc, footer.inc, main.inc, etc. Now I find out that this is not allowed in the ini settings by default, (allow_url_include is set to Off) after I got a lot of warnings from the server.

I also noticed that you can use include without parentheses. I tried this and it works and I do not receive error messages or warnings. Two different? That is, include () is different from include ?

+5
source share
4 answers

Using include () may result in Local File Vulnerability (LFI) or Remote File Vulnerability (RFI) . You should try to avoid using include, for example , if you include HTML , writing is better print(file_get_contents($file))than include($file). However, include()'PHP files are needed in most php applications to reduce code duplication.

Even when remote file inclusion is disabled, it is still possible to use the system using the Advanced LFI Attack .

If you need to accept user input in include(), then you need to make sure that it is in the white list:

$good_includes=array("contact","home","view");
if(in_array($_GET[page],$good_includes)){
    include("inc/".$_GET[page].".php");
}
+4
source

. ( URL http://www.example.com/include.php ). .

, include , . die, . : Manual

include() - , . .

+16

include . , . , require. script.

0

include/require_once require.

- , include . PHP , , ( , script ), require, script .

require , , include , , , , , , , , , header.php

, .

if you include files from outside your server, then I would use curl if installed, or file_get_contents().

Hope this helps you.

just a note on requirevs require_once, require_oncewill add logic to make sure the file is not included more than once, i.e. You do not want to declare a database connection more than once

-1
source

More articles:


All Articles