php include not working

dalisian

I did this: write all the html tags from the beginning of a html page to the first <body>:

<!Doctype...(complete)>
<html>
<head>
<title>my page</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>

<body>

and called the file "header.txt".
With the ending tags of the html page </body> and </html> did the same thing and called the file "footer.txt". So, the page looks like this:

<? include ("header.txt"); ?>
here is all the content, tags, etc.,
<? include ("footer.txt"); ?>

Now comes the problem. When the page is not "reloaded" or "refresh" after 3 minutes the images dissapear, all dissapears, except the text that looks like it has no css. What is wrong? The css is in the same directory the page is, also the images, and also the "header.txt" and "footer.txt". Is it me or the server? Thank you 🙂

thorpe

rename the includes with a php extension.

dalisian

Thanks thorpe! I did it, and now takes more than 20 minutes untill everything dissapear. It's good actually, because if somebody is going to stay in my site longer than that on one page...
Thanks again 🙂

SumitGupta

Hi Thorpe,

One thing What exactly the reason of this. With my knowledge I have seen that it really doesn't matter that what extension we give to include files.
I guess the PHP include (and require) just read the content of the files and put them in your code (something like Copy Paste of file content in place of the include statement).

Can you please explain the reason.

zzz

I agree with SumitGupta, extention of the include should not be a factor here.

toplay

I think thorpe is coming from a security standpoint. It's more secure to use include files that end in .php rather than anything else.

This is a strange problem. Are you using sessions? What do you mean exactly by disappear?

halojoy

toplay wrote:
I think thorpe is coming from a security standpoint. It's more secure to use include files that end in .php rather than anything else.

I did some testing what files one can use safely as includes in php.

.txt or .htm or such common files are not suitable.
Because any browser will read it.
Same goes for a
name.php - but WITHOUT php tags <?php ?> inside

It has to do with what pages is served or allowed to view by visitors to your hhtp server
In my case Apache.

As I do not use and do not allow CGI Scripts to be run, generally, at my server,
I could use
include ( "myincl.cgi" );
if anyone try to access that file, gets only an error message.

I can also safely use
mydata.cgi
for database files, and nobody can open them
only get error -> 'cgi is not supported' or 'no permission to file'

This is a way to go, if YOU have total control over HTTP SERVER settings, httpd.conf

But if not, you better do it some other way.

Another thing:
Say you have valuable data inside your 'config_data_include.php'
with usernames and passwords.

You might think this would never be possible to read directly.

Do this test:
Leave your .php files s they are, but disable php at your server.
Then go and access your secure 'config_data_include.php'

Server would most probably serve it as a plain textfile
for anybody to read, copy or download.

/halojoy

toplay

halojoy, of course I was talking about using PHP tags within a file that ends in ".php" with a server setup to parse ".php" files. I feel most people do not have access to server settings and are using shared hosting. Some web host companies allow overrides using the .htaccess file.

Since this topic switched to security, I have some tips to share. Ideally, you should have all your include files in your root directory or a sub-directory off the root (away from the web public directory). If you can't do that or wish extra protection, then one way to protect your include files from being included from another server/site is to put a little bit of code at the top of every include file to check for this hijacking. You can use $SERVER['SERVER_NAME'] and/or $SERVER['SERVER_ADDR'] to make sure that the include script is only being run from your server.

Another technique, which can be used instead of or with the above technique, is simply to set a variable or constant with a certain value in the main script, and have all the include files look for that before allowing access to the included code. So, each of the include files would have something like this at the top of them:

if ((!defined('SECRET_VAR')) || ('something' != SECRET_VAR))
    exit('Access violation. You are not authorized to run this script.');

In order for someone to use your script remotely, they would have to know the variable you used and value before it could be included/used.

When you have configuration files where you use the parse_ini_file() function, and wish to prevent accidentally trying to include the file instead of reading it, do something like this:

; <?PHP exit('Access violation. Do not try and run this script.'); ?>

; Config settings go here...
output = standard

The semi-colon is used as comments for configuration files, but if the script is executed directly, the exit will be invoked.

hth.

halojoy

say
be some strange human mistake, unintended deleting one line in server config for .php file
or some other reason (can not find php.exe.. maybe) your webspace server stops executing php

Then, does not matter whatever security functions you have in your php pages.
Default server action will be:
serve it as plain text/html

For security, we should NEVER rely upon ONLY 1 method

It is like saying:
I can drive my car, while being drunk, because I have SAFETY Belt.
Or, I can drive without safety my belt, because I am SOBER behind steering wheel.

For reasonable safety we should - be sober AND with safety belt AND not drive too fast.

/halojoy

toplay

halojoy wrote:
say
For security, we should NEVER rely upon ONLY 1 method

I agree that we should try and not rely on one security method. But I'm not going to worry about my web host messing up their configuration because I think it's just such a small probability that would happen. Anyway, even if they do, my PHP code is encoded.

FYI for all - A small list of PHP encoders (prices are in USD):

CodeLock ($55) is one of the better lower priced ones out there. It also does HTML source and can tie a script to only run on a domain (or server IP address) so someone else can't take your code and run it on their server. There used to be a free one called cleverSource but I don't think you can download it anymore because they're selling their site. This used to be the link where to download it from:
http://cleverscripts.com/index.php?a=cleversource

Free but it's a Linux binary:
http://www.microcode.de/index.php3?LANGUAGE=english

POBS is free but so-so (needs effort on your part):
http://pobs.mywalhalla.net/

SOURCECOP 3 ($45):
http://www.sourcecop.com

PHP Processor ($49):
http://www.gridinsoft.com/protect.php

The PHTML Encoder ($119):
http://www.rssoftlab.com/phpenc.php

PHP Encoder ($199):
http://www.ioncube.com/sa_encoder.php

SourceGuardian™ 4.0 for PHP ($250):
http://sourceguardian.com

The Zend Encoder ($960 but cheaper if bundled):
http://www.zend.com/store/products/zend-encoder.php

SumitGupta

Hi,

I have done a few websites and never go in deep about the security of that web page which I include..
as I always use .php extension to them so that no readout can be made.
And Simple of All.. My include files never output anything..no it only contain declaration and nothing else..

And if a hacker is able to read out your .php file than your server is already hacked and he has the access of your server so no matter what you do. your information is already lost..😉

But yes I agree that one should follow the security steps, But again..How many people really come up with the name of your include files... are they ever able to detect the name of your include files?

So going through above step is only required when we need ultra high securtiy and or we have payment gateways in our sites.. but for normal Header and Footer, One really doesn't need to do much of efforts

toplay

SumitGupta, I disagree with about everything you said, and maybe you'll change your mind after you get hacked. I did and now I think security first and throughout the development of a project.

Good luck.

SumitGupta

Hi,

I agree with your thoughts and see most of the good programmer are actually concern with such Security issues. But if we talk about a general site, I don't think they really need that high security. Ofcourse, if a user wish to get it I myself provide that kind of security and Infact i have done that even.

And at that time we need to implement the security in different ways . But some time few programmer just implement same Step in different way and that is why I always say just do it in a manner that no step repeat itself.

And I really love and Would like to suggest to follow security steps in your application but first make things working and do not allow your security code disturb your normal site working.

Hope I am clear in what I want to say. Please forgive me for my English as well.😉

Thanks for reading me.

toplay

SumitGupta wrote:
...But if we talk about a general site, I don't think they really need that high security.

I had a site where there was no money transactions involved and was a "general site" as you say and it still got hacked. Every site needs tight security, unless a person doesn't care about being hacked and their data compromised.

SumitGupta wrote:
And I really love and Would like to suggest to follow security steps in your application but first make things working and do not allow your security code disturb your normal site working.

Well, I disagree about "first make things working". Security should be part of the code from the start and not an after thought. Its sometimes harder to put security measures in after you've written the basics. If you do it right, it should not in anyway interfere with "your normal site [from] working".

yinrunning

Ok, back to the original problem?

Is this actually what's in your page?:

<? include ("header.txt"); ?>
here is all the content, tags, etc.,
<? include ("footer.txt"); ?>

because <? ... ?> doesn't work. <?php ... ?> does. Also, just because it always helps to ask obvious questions, the page that you're putting include(); statements INTO is <something>.php, correct?

halojoy

yinrunning wrote:
<? include ("header.txt"); ?>
here is all the content, tags, etc.,
<? include ("footer.txt"); ?>

because <? ... ?> doesn't work. <?php ... ?> does.

I speak only for my self here.
And yet, I have total control of my Apache Server and my php.ini settings!!!!

When I download a script
I first change every
<?
to be
<?php
At least those I can discover, if looking at downloaded scripts, code

Why?
Because I want my script to work at any server
If I was to move to a hosted webspace,
I do not want to risk having to re-write all those php tags.
Because server does not allow short php tags.

Anybody should ask themselves:
Isn't it worth the 'trouble' to write <?php

Take it as a rule, to write your code to fit worst case scenario.
It might work now, but you may get a lot of troubles, if not useless scripts, in future.

/halojoy - telling people what to do, again :p

<?php

// halojoy code, 2005 sweden 
$mightnot = "might not work";
?>

<?php echo "this will work"; ?>

<!--  These might not  -->
<?=$mightnot ?>
<? echo "probably, but not for sure" ?>

towards the end now
<?php
// php code
?>

SumitGupta

yinrunning wrote:
because <? ... ?> doesn't work. <?php ... ?> does.

Well <? ... ?> does work if <?php ... ?> is working and you are running PHP version 4.0 + (As I never work on version below them I doesn't want to comment on them. but I guess it works on them too)

Yes it will not work if you use this

<?include('blah.php');?>
but it should be
<? include('blah.php');?>
See the extra space in between..