Including vars

elfleat

Ok so what am i dong is something like this:

            <?php
            $path == "includes/" . $_POST['in'] . ".php";
            require '$path'; ?>

But:

Warning: require($path) [function.require]: failed to open stream: No such file or directory in C:\Program Files\xampp\htdocs\futval\index.php on line 25

Fatal error: require() [function.require]: Failed opening required '$path' (include_path='.;C:\Program Files\xampp\php\pear\') in C:\Program Files\xampp\htdocs\futval\index.php on line 25

What can i do? :queasy:

elfleat

AND the url should be: file.php?in=home

laserlight

Perhaps you intended to write = instead of ==? Perhaps you should not use variables between single quote delimited strings if you intend them to be used as variables?

Still, beware of such careless use of $_POST... always validate your incoming data.

Piranha

$path == "includes/" . $_POST['in'] . ".php";

This is comparing $path to what is to the right of the == signs and returning true or false. If you mean to set $path to what is to the right use a single =.

elfleat

I've tryed with '=' instead of '==' but gives me the same error :S

i don't know what's wrong :S

laserlight

Try this piece of code:

<?php
$path = "/path/to/nowhere";
echo '$path';
?>

If you see "/path/to/nowhere" printed, there is a bug in your version of PHP.

If all goes well, try this:

<?php
$path = "/path/to/nowhere";
echo $path;
?>

<?php
$path = "/path/to/nowhere";
echo "$path";
?>

elfleat

laserlight wrote:
Try this piece of code:
<?php
$path = "/path/to/nowhere";
echo '$path';
?>
If you see "/path/to/nowhere" printed, there is a bug in your version of PHP.

If all goes well, try this:
<?php
$path = "/path/to/nowhere";
echo $path;
?>
or
<?php
$path = "/path/to/nowhere";
echo "$path";
?>

That works OK, but i think the problem is catching the url var...

laserlight

That works OK, but i think the problem is catching the url var...

What do you mean by "catching the url var"?

bradgrafelman

Your code isn't looking for any variable in the URL/query string - it's looking for data POST'ed by a form (hence the word "POST" in the $_POST variable).

Now, if you were to use [man]$_GET[/man] on the other hand...

You might want to look at a few pages:

The manual definition of what a [man]string[/man] is and why your $path variable wasn't being parsed.
The manual page for [man]variables.predefined[/man] that talks about the different superglobals ($GET, $POST, $_COOKIE, etc.).
You might want to secure your code so that only files you want to be included are allowed. One common way of doing this is to create an array of possible values for the user-supplied variable and use [man]in_array/man to match what they gave you against your array of valid choices; only if you get a match should you include() the file.

The other method of securing your include() calls is to place all of the .php files you want included in a certain folder "includes/" for example, and use [man]basename/man to verify that they didn't give a path outside of that directory (e.g. "../badfile.php").