php Readfile vs. Include

[jerastraub]

Is there any difference in server load between a php include statement verses a php readfile? Also I have another question.
I read recently the following:
[code]"There is a security issue using the "include" command as it will run just as if the browser had allowed it.

It is possible for a malicious web site to cause damage to your computer including deleting everything."
[/code]
Is this True or False?

[corbin]

Includes are parsed server side before the client even sees the page, so I don't know why a client would treat included content different, or for that matter how it would even know content is included.

[PFMaBiSmAd]

The readfile(...) outputs the contents of the file to the browser. If this was HTML/CSS/javascript, it would have meaning. If the file contains PHP, the php code is not parsed and is simply sent to the browser. The browser would attempt to render and display this as if it was HTML. The readfile(...) statement is not the functional equivalent of the php include(...) statement.

The first sentence in your security question is nonsense. A PHP include (and even a SSI include) is executed server side and a browser has no knowledge of or control over it.

For your second security question. A web site by it self, just serving HTML/CSS/javascript cannot harm anything on your computer. The danger comes in if a web site serves a .zip/.exe file with malicious code and you execute it or if it serves a media/document file which contains an exploit for a media player/viewer or application (Word/Excel...).