PHP Include Question

[Garyn]

Hi,

 

I restarted my website and uploaded the files that I used about 4 years ago. Except now I get some error http://www.boundkingdom.com/index.php when I access the website. I believe it has to do with the <?php include ("$a"); ?> code that I used for the middle section. Has this been changed on to how I can use that or is it because I changed hosts?  Back on my old site (in 2004-ish), it just allowed me to put, for example, http://www.boundkingdom.com/index.php?a=faq.htm  and it would use it with the $a=faq.htm  and load it in the middle part.  How would I get it so I could load the left bar variables like FAQ, Credits, etc to load in the middle again without getting errors?

 

Here is my website without the variable and just straight includes, to give you an idea:

http://www.boundkingdom.com/index2.php

 

 

And here is my old Chrono Trigger index.php to give an example (with most of the unnecessary stuff taken out)

<html><head>
<title>Bound Kingdom : Chrono Trigger</title></head>

<body marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" bgcolor="#BCD2EE" text="#000080" link="#87CEFF" vlink="#87CEFF" alink="#1E90FF">


<table border="0" cellpadding="0" cellspacing="0" width="860">
<tr>
<td width="15" background="delbar2.jpg" height="80" bgcolor="#3399CC"> </td>
<td width="130" background="nav_bar2.jpg" height="80" bgcolor="#006699"> 

</td><td width="515" height="80" bgcolor="#006699" colspan="1"><img src="trialdude7.gif" width="520">
    </td>
    <td width="130" background="nav_bar2.jpg" height="80" bgcolor="#006699"> 

</td>
    
    <td width="15" background="bardel.jpg" height="25" bgcolor="#3399CC"> </td>
    <td width="50" height="80"></td>


  </tr>
  <tr>
<td width="15" background="delbar2.jpg" height="30" bgcolor="#3399CC"> </td>
<td width="130" background="nav_bar2.jpg" height="30" bgcolor="#006699"> 

</td>
    <td width="515" background="menu_bar.jpg" height="25" bgcolor="#006699" colspan="1">
      <p><font face="verdana" size="1"><b>  
      
      
      
<?php include("http://www.boundkingdom.com/top.htm"); ?> 



</font></td>
    <td width="130" background="nav_bar2.jpg" height="30" bgcolor="#006699"> </td>
    
    <td width="15" background="bardel.jpg" height="30" bgcolor="#3399CC"> </td>
    <td width="50" height="30"></td>
  </tr>
  <tr>
<td width="15" background="delbar2.jpg"  bgcolor="#3399CC"> </td>
<td width="130" background="nav_bar2.jpg" bgcolor="#006699" valign="top">
      
      
      

<?php include("http://www.boundkingdom.com/leftbar.htm"); ?> 


</td>
    
    <td width="515" bgcolor="#3399CC" valign="top">
      <div align="center">
        <center>
        <table border="0" cellpadding="0" cellspacing="0" width="515">
          <tr>
            <td height="600" valign="top"><font face="verdana" size="2">



<center>
<?php include ("$a"); ?>






</font>
              <p> </p>
              <p><font face="Arial" size="2" color="#FFFFFF">
		  
		  </font></p>
            </td>
          </tr>
        </table>
        </center>
      </div>
    </td>
    <td width="130" background="nav_bar2.jpg" bgcolor="#006699" valign="top">
      <center>     

<table border="0"><tr><td width="130" bgcolor="#3399CC"><center> <font face="verdana" size="1"><b>Information</td></tr></table>

</font></font>






      
<font face="verdana" size="1"><b><font color="87CEFA"></center>
»<a href="index.php?a=http://www.boundkingdom.com/ind.htm" onMouseOver="self.status='Information : Main'; return true" style="cursor:crosshair" title="Main">Main</a><br>

»<a href="http://www.boundkingdom.com/ct/index.php?a=acc.htm" onMouseOver="self.status='Information : Accessories'; return true" style="cursor:crosshair" title="Accessories">Accessories</a><br>
»<a href="http://www.boundkingdom.com/ct/index.php?a=armor.htm" onMouseOver="self.status='Information : Armor'; return true" style="cursor:crosshair" title="Armor">Armor</a><br>
»<a href="http://www.boundkingdom.com/ct/index.php?a=tips.htm" onMouseOver="self.status='Information : Basic Tips'; return true" style="cursor:crosshair" title="Basic Tips">Basic Tips</a><br>
»<a href="http://www.boundkingdom.com/ct/index.php?a=blackb.htm" onMouseOver="self.status='Information : Black Boxes'; return true" style="cursor:crosshair" title="Black Boxesh">Black Boxes</a><br>
»<a href="http://www.boundkingdom.com/ct/index.php?a=boss.htm" onMouseOver="self.status='Information : Bosses'; return true" style="cursor:crosshair" title="Bosses">Bosses</a><br>




</font></center>  

<font face="verdana" size="1"><b><font color="87CEFA"></center>

<font face="verdana" size="1"><b><font color="87CEFA">
</center>
      <font face="verdana" size="1"><b><font color="87CEFA">


      <p> </p>
      <p> </p>

    </td>
    
    <td width="15" background="bardel.jpg" bgcolor="#3399CC"> </td>
    <td width="50" valign="top"></td>
  </tr>
  <tr>
<td width="15" background="delbar2.jpg" height="80" bgcolor="#3399CC"> </td>
<td width="130" background="nav_bar2.jpg" height="80" bgcolor="#006699"> 

</td>
    
    <td width="500" bgcolor="#3399CC" height="50">
      <p align="center"><font color="#FFFFFF" face="Arial" size="2">
</font></td>
    <td width="130" background="nav_bar2.jpg" bgcolor="#006699" height="50"> </td>
    
    <td width="15" background="bardel.jpg" height="50" bgcolor="#3399CC"> </td>
    <td width="50"></td>
  </tr>


<tr>
<td width="15" background="delbar2.jpg" height="25" bgcolor="#3399CC"> </td>
<td width="130" background="nav_bar2.jpg" height="25" bgcolor="#006699"> 

</td>
    
    <td width="515" background="menu_bar1.jpg" height="25" bgcolor="#006699" colspan="1">
      <p align="center"><font face="verdana" size="1"><b>
<font color="#BFDFFF">
<a href="javascript:history.back(1)" style="cursor:crosshair">Back</a> • <A href="javascript:window.location.reload()" style="cursor:crosshair">Refresh</a> • <a href="javascript:scroll(0,0);" style="cursor:crosshair">Top</a> • <a href="javascript:history.forward(1)" style="cursor:crosshair">Forward</a>


</p>
</font></td>
    <td width="130" background="nav_bar2.jpg" bgcolor="#006699" height="25"> </td>
    
    <td width="15" background="bardel.jpg" height="25" bgcolor="#3399CC"> </td>
    <td width="50"></td>
  </tr>






</table>

</body>

</html>

 

Notice I just had  <?php include ("$a"); ?> and then could add a=whatever and it showed up.  Any way I can still do that?

 

 

Thanks in advance!

 

[premiso]

Notice I just had  <?php include ("$a"); ?> and then could add a=whatever and it showed up.  Any way I can still do that?

 

Wow that is dangerous stuff, you are not verifying a and you were using register_globals on (which is why it is not working now cause they are off like they should be)

 

I would verify the input first and make sure that file exists.  To access $a now it will be $_GET['a'];   

[Garyn]

Notice I just had  <?php include ("$a"); ?> and then could add a=whatever and it showed up.  Any way I can still do that?

 

Wow that is dangerous stuff, you are not verifying a and you were using register_globals on (which is why it is not working now cause they are off like they should be)

 

I would verify the input first and make sure that file exists.  To access $a now it will be $_GET['a']; 

 

So, since the register_globals are off I can't do that anymore?

 

With $_GET['a'];  , would that replace include and with that would I have to add each individual .htm that I wanted to link to into a system before I could access them?

[devxtec]

Notice I just had  <?php include ("$a"); ?> and then could add a=whatever and it showed up.  Any way I can still do that?

 

Wow that is dangerous stuff, you are not verifying a and you were using register_globals on (which is why it is not working now cause they are off like they should be)

 

I would verify the input first and make sure that file exists.  To access $a now it will be $_GET['a']; 

 

So, since the register_globals are off I can't do that anymore?

 

With $_GET['a'];  , would that replace include and with that would I have to add each individual .htm that I wanted to link to into a system before I could access them?

 

Coding with register globals is bad practice and a security risk unless you are doing filtering for specific variables. Like premiso stated you can access $a now with $_GET['a'] as long as you are passing A via an HTTP Header with GET. If you are passing it via POST then it would be $_POST['a'].

 

Your include statements would stay the same and would not be affected. If you reference variables being passed in by forms with POST or via URL using GET in other files then you will also need to reference them in the fashion of $_POST['var'] and $_GET['var'] respectively.

[Garyn]

Coding with register globals is bad practice and a security risk unless you are doing filtering for specific variables. Like premiso stated you can access $a now with $_GET['a'] as long as you are passing A via an HTTP Header with GET. If you are passing it via POST then it would be $_POST['a'].

 

Your include statements would stay the same and would not be affected. If you reference variables being passed in by forms with POST or via URL using GET in other files then you will also need to reference them in the fashion of $_POST['var'] and $_GET['var'] respectively.

 

But I don't think I had a variable $a, anywhere, that had a list of anything to be got/accessed by the GET function.  Isn't that required for the $_GET['a'] thing to happen?  I don't even know what the a variable was, but I believe it was just used a as to be say that if you put anything in after a in http://www.boundkingdom.com/index.php?a=ind.htm, it would work.

 

I mean I am really bad at understanding this stuff now, but I am really trying. . . my brain though is literally trying to implode from trying to learn it right now.

[premiso]

Coding with register globals is bad practice and a security risk unless you are doing filtering for specific variables. Like premiso stated you can access $a now with $_GET['a'] as long as you are passing A via an HTTP Header with GET. If you are passing it via POST then it would be $_POST['a'].

 

Your include statements would stay the same and would not be affected. If you reference variables being passed in by forms with POST or via URL using GET in other files then you will also need to reference them in the fashion of $_POST['var'] and $_GET['var'] respectively.

 

But I don't think I had a variable $a, anywhere, that had a list of anything to be got/accessed by the GET function.  Isn't that required for the $_GET['a'] thing to happen?  I don't even know what the a variable was, but I believe it was just used a as to be say that if you put anything in after a in http://www.boundkingdom.com/index.php?a=ind.htm, it would work.

 

I mean I am really bad at understanding this stuff now, but I am really trying. . . my brain though is literally trying to implode from trying to learn it right now.

 

Passing a through the url sends it as a GET variable.

 

The real danger with your code, is if someones does a ../../ etc they can potentially include any file, or even view files (.htpasswd) they are not suppose to.

 

My suggestion would be to replace the $a line with this:

<?php 
$a = isset($_GET['a'])?basename($_GET['a']):'index.htm';
if (file_exists($a)) {
   include ($a); 
}
?>

 

basename will filter out them trying to do a ../ etc and just get the filename to include.

 

I would highly suggest you read up on $_GET variables if that confuses you.

[Garyn]

Coding with register globals is bad practice and a security risk unless you are doing filtering for specific variables. Like premiso stated you can access $a now with $_GET['a'] as long as you are passing A via an HTTP Header with GET. If you are passing it via POST then it would be $_POST['a'].

 

Your include statements would stay the same and would not be affected. If you reference variables being passed in by forms with POST or via URL using GET in other files then you will also need to reference them in the fashion of $_POST['var'] and $_GET['var'] respectively.

 

But I don't think I had a variable $a, anywhere, that had a list of anything to be got/accessed by the GET function.  Isn't that required for the $_GET['a'] thing to happen?  I don't even know what the a variable was, but I believe it was just used a as to be say that if you put anything in after a in http://www.boundkingdom.com/index.php?a=ind.htm, it would work.

 

I mean I am really bad at understanding this stuff now, but I am really trying. . . my brain though is literally trying to implode from trying to learn it right now.

 

Passing a through the url sends it as a GET variable.

 

The real danger with your code, is if someones does a ../../ etc they can potentially include any file, or even view files (.htpasswd) they are not suppose to.

 

My suggestion would be to replace the $a line with this:

<?php 
$a = isset($_GET['a'])?basename($_GET['a']):'index.htm';
if (file_exists($a)) {
   include ($a); 
}
?>

 

basename will filter out them trying to do a ../ etc and just get the filename to include.

 

I would highly suggest you read up on $_GET variables if that confuses you.

 

That did the trick.  Thank you so much!