Using includes securely

chrisguk

Hi guys,

Im a real newbie to PHP and this will probably seem like a newbie question.

I have a file called store.php which is contained within /cart/d/store.php

inside the file at the top is has the following:

<?php include("conf.php"); ?>
<?php include("../../include/header.php");

The problem im having is when I pass this lot through https://www.mysite.com it states that I have unsecure content. Is there a way (simple) to include things into a file that are interpreted securely.

Hope this makes sense🙂:queasy:

laserlight

The PHP includes would not be the problem: by the time the content is served to the client, it would be done securely. The warning message is more likely due to images that are referenced by their absolute URL, with http instead of https.

chrisguk

laserlight;10938052 wrote:
The PHP includes would not be the problem: by the time the content is served to the client, it would be done securely. The warning message is more likely due to images that are referenced by their absolute URL, with http instead of https.

Would that also mean the include("header.php") and include("footer.php") they are both referenced in my file filename.php which has image links. So for the files within the main body I used <?php echo $ssl; ?> within the containers. Do I need to do the same with the images contained within the header and footer files?

laserlight

Why not try referencing the images by relative URLs instead?

chrisguk

laserlight;10938075 wrote:
Why not try referencing the images by relative URLs instead?

That would pose a problem for me. I have files at different levels for example index.php is in the root and all other files are in directories a level higher.

laserlight

chrisguk wrote:
That would pose a problem for me. I have files at different levels for example index.php is in the root and all other files are in directories a level higher.

Of course, this poses a problem for everyone 🙂

Yet, this is precisely what you used when you included "../../include/header.php". So, the principle is the same, except that now you are dealing with URLs instead of file paths.

chrisguk

laserlight;10938078 wrote:
Of course, this poses a problem for everyone 🙂

Yet, this is precisely what you used when you included "../../include/header.php". So, the principle is the same, except that now you are dealing with URLs instead of file paths.

Sorry about that I think my newbie way of explaining is coming out here.

The problem is not including the file header and footer or referencing them relatively. I was trying to work out how to reference the stylesheet and js files at different levels too.

so:

public_html/index.php
public_html/include/header.php
public_html/include/footer.php
public_html/cart/s/someotherfile.php

../style/style.css this path would change at different levels i believe.

Can you see what im getting at?

chrisguk

Had a thought would it be better to store the stylesheet in a mysql database. I could try that if I figure out how to do it?

laserlight

chrisguk wrote:
I was trying to work out how to reference the stylesheet and js files at different levels too.

A simple though rather fragile solution is to have a variable that tracks the level of the page, e.g., '../../', and then use that as a path prefix to get to the root and from there consistently refer to the desired files.

bradgrafelman

I'm confused as to what the main issue here is.

To solve the "insecure content" warning, either a) check if the current request was made via HTTPS and, if so, output https:// instead of http:// in your paths, or b) just use absolute paths without including the protocol and domain, e.g. "/path/to/file.txt".

laserlight

bradgrafelman wrote:
b) just use absolute paths without including the protocol and domain, e.g. "/path/to/file.txt".

A URL is not a file path though, so that will not work. However, I recall a trick that might work, and now I wonder why I never used it myself: "//example.com/path/to/file.txt" should work, and this is actually Tim Berners-Lee's idea.

bradgrafelman

laserlight wrote:
A URL is not a file path though

They aren't the same, no, but URLs do behave like file paths - '/path/to/file.txt' works just fine in a link (the '/' translates to the root of the site, of course). It passes W3C validation as well.