FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


PHP Includes Problem





The-Nisk
I'm quite surprised to be the first person to mention this on the forum (Am I the only one noobish enough to encounter this error on here?) or at least the search function didn't yield any relevant topics. So here it is:

I'm building a site with dynamic content and when I try to include a file which contains a php include() function in itself, it wont work. After some checking I narrowed down the problem: the include() function is being included along with the rest of the file, but it is not recognized as php code, it just appears as php code in page that isn't being evaluated.

I did some quick research and there seems to be a major problem with multimple include php statements. Another site said it will work fine if you include the proper php tags. I did that of course, and no joy.

Help is appreciated greatly!
sonam
I cannot check in this moment is this what do you write right or not because I am not at home. But if I have good memory some of my scripts include some other parts of php code and there is another include statment. Maybe you need to check path to file. For example if you include some file from root directory in some subdirectory then path to the right file can be a bit tricky.

Sonam
rvec
could you show us the code? I am sure includes and php work, so there must be something wrong with your code.

Have you saved the file as a .php file?
Have you used the full php tags (not the short ones) <?php and ?> ?
did the page give back any errors?
The-Nisk
*Edit* I figured it out, with some help from a friend. basicly i had PHP code stored in my database that i wanted to evaluate...which is immpossible it seems. Sorry to bother you guys! Thanks tho! =]
Fire Boar
eval is your friend in this case, but it's really a bad idea to store PHP code in the database unless you absolutely have to.
badai
i stored some code in database, but not php. javascript. have php fetch it and echo it so the browser will process it.
The-Nisk
badai wrote:
i stored some code in database, but not php. javascript. have php fetch it and echo it so the browser will process it.


Yeah there's a difference tho, java-script is client-side, so you can store it in a database and it works fine, however PHP is server side and it's why it won't work. In my case I'll have to include .php files that store my modules and not call them from a database like I originaly wanted. =/
badai
the reason i stored javascript in database is because i don't know how to include a portion of script inside another script.

anybody knows if it's possible to call external javascript within javascript?
jmraker
To dynamically include a javascript file I think you need to create a new script tag and add it to the document.
like

var s='<script src="' + url + '"></script>';
document.body.innerHTML += s;

which would likely reset/remove javascript handlers from the page if there dynamically added.

or use DOM functions like document.createElement("SCRIPT"), insertBefore to insert the script in the document.
AftershockVibe
The-Nisk wrote:
badai wrote:
i stored some code in database, but not php. javascript. have php fetch it and echo it so the browser will process it.


Yeah there's a difference tho, java-script is client-side, so you can store it in a database and it works fine, however PHP is server side and it's why it won't work. In my case I'll have to include .php files that store my modules and not call them from a database like I originaly wanted. =/



If you can get your PHP into a string (which should be trivial from your database) then you can certainly evaluate it:
http://uk.php.net/manual/en/function.eval.php

However, note that using eval where it's not necessary can be very dangerous. Why not just use files and include? If an external person can somehow write into the parameters of the statement (SQL injection etc.) then they can execute any code they like on the system! Not cool!


badai, this is probably more of what you're looking for:
http://www.webinmind.net/2006/07/19/javascript-includes/

Cool
Agent ME
As said above, you can use eval() to run php commands stored in a string, but rarely is this a good idea. I can't imagine any good place to do this besides possibly in some sort of php testing web app that was only allowed to be used by the admin of the webserver (because anyone else could easily run very malicious commands).
The-Nisk
Yeah, I heard about the 'eval' function, but as yous said it's pretty damn dangerous. Wouldn't want to let some script-kiddie have a party cause he 'hacked' my site, now would I? But either way, the 'eval' wouldn't work with my current database set up, I set the permissions for the access to the content database as read-only =]
Fire Boar
The-Nisk wrote:
Yeah, I heard about the 'eval' function, but as yous said it's pretty damn dangerous. Wouldn't want to let some script-kiddie have a party cause he 'hacked' my site, now would I? But either way, the 'eval' wouldn't work with my current database set up, I set the permissions for the access to the content database as read-only =]


That's inconsequential. If you can read the PHP code, you can eval it. If the database is read only, you simply do what you do with a read/write database setup: that is, READ the code from the database into a string, then within PHP eval that string. No write access needed.

But seriously, if you want to convince yourself that eval wouldn't work, go right ahead. The only reason for including PHP code in a database is where you have some kind of content management where the administrator can embed snippets of PHP (Drupal uses this, as an example, but warns the administrator that allowing PHP evaluation can be very dangerous).
coreymanshack
Eval isn't dangerous if you know where your input is coming from... in this case, the database. As long as the rest of your website is secure and noone can inject different code into the row thats being eval'd you're fine.
The-Nisk
Ah I see now what you mean. I'm new to PHP/MySQL (3 days and counting) so like the noob I am I for some reason thought that the eval() function was part of the MySQL and not PHP.....ah stupid, why did I think that!? I even knew MySQL uses the 'exec' command? *facepalm*

Hmm could you explain a bit about the threaths the eval() function can create? I'm guessing you mean allowing people run code on the server via injections? But since they won't be able to change my database (read-only permission)...what threaths are there? I have some ideas - I mean it's like limiting access to files while allowing people to run code on your computer isn't it? Some examples would be appreciated! =]
Stubru Freak
The-Nisk wrote:
Ah I see now what you mean. I'm new to PHP/MySQL (3 days and counting) so like the noob I am I for some reason thought that the eval() function was part of the MySQL and not PHP.....ah stupid, why did I think that!? I even knew MySQL uses the 'exec' command? *facepalm*

Hmm could you explain a bit about the threaths the eval() function can create? I'm guessing you mean allowing people run code on the server via injections? But since they won't be able to change my database (read-only permission)...what threaths are there? I have some ideas - I mean it's like limiting access to files while allowing people to run code on your computer isn't it? Some examples would be appreciated! =]


It's not dangerous if you're absolutely sure your database won't contain unsafe code. But if someone could inject code into the database you're in big trouble.
But why not just include the files, and store the file names in your database?
coreymanshack
Stubru Freak wrote:
The-Nisk wrote:
Ah I see now what you mean. I'm new to PHP/MySQL (3 days and counting) so like the noob I am I for some reason thought that the eval() function was part of the MySQL and not PHP.....ah stupid, why did I think that!? I even knew MySQL uses the 'exec' command? *facepalm*

Hmm could you explain a bit about the threaths the eval() function can create? I'm guessing you mean allowing people run code on the server via injections? But since they won't be able to change my database (read-only permission)...what threaths are there? I have some ideas - I mean it's like limiting access to files while allowing people to run code on your computer isn't it? Some examples would be appreciated! =]


It's not dangerous if you're absolutely sure your database won't contain unsafe code. But if someone could inject code into the database you're in big trouble.
But why not just include the files, and store the file names in your database?


same concept, if his website has an insecure upload form somewhere, or insecure ftp, or insecure web ftp... they can upload a malicious file, and inject his database and change the filename.
Stubru Freak
coreymanshack wrote:
Stubru Freak wrote:
The-Nisk wrote:
Ah I see now what you mean. I'm new to PHP/MySQL (3 days and counting) so like the noob I am I for some reason thought that the eval() function was part of the MySQL and not PHP.....ah stupid, why did I think that!? I even knew MySQL uses the 'exec' command? *facepalm*

Hmm could you explain a bit about the threaths the eval() function can create? I'm guessing you mean allowing people run code on the server via injections? But since they won't be able to change my database (read-only permission)...what threaths are there? I have some ideas - I mean it's like limiting access to files while allowing people to run code on your computer isn't it? Some examples would be appreciated! =]


It's not dangerous if you're absolutely sure your database won't contain unsafe code. But if someone could inject code into the database you're in big trouble.
But why not just include the files, and store the file names in your database?


same concept, if his website has an insecure upload form somewhere, or insecure ftp, or insecure web ftp... they can upload a malicious file, and inject his database and change the filename.


Not if he does some basic checks on the file name in the database, e.g. restricting the name to a-z, A-Z and 0-9 before including the file. Of course if the directory containing the includes is writeable, it can still be abused, but in most cases securing a directory is easier than securing a database.
So many database can be sql-injected, even those of professional websites by big companies.
The-Nisk
isn't there a function in php to strip the string of all special characters and limit it to A-z and 0-9 in order to avoid MySQL injection. I remember seeing it a few days back but can't remember it or where I've seen it.

I have created a new user for my content database and striped all privileges for that user bar the 'read' one, so I use that account to retrieve content, and since it is for a public database, MySQL injections would be useless/worthless right?

Appologies if I ask stupid question, it's not even a week since I started PHP & MySQL. =]
coreymanshack
The-Nisk wrote:
isn't there a function in php to strip the string of all special characters and limit it to A-z and 0-9 in order to avoid MySQL injection. I remember seeing it a few days back but can't remember it or where I've seen it.

I have created a new user for my content database and striped all privileges for that user bar the 'read' one, so I use that account to retrieve content, and since it is for a public database, MySQL injections would be useless/worthless right?

Appologies if I ask stupid question, it's not even a week since I started PHP & MySQL. =]


Code:
mysql_real_escape_string();


it can only be used after you open a mysql connection. good luck!
Related topics
php includes
Php, mime_content_type() problem
You're invited!!!!
Shouldn´t I use frames?
PHP Includes and Variables?
php security problem
PHP Login Problem
What is useful way in this php+mysql problem?
PHP mailing script
PHP script problem
Stats problem - php execution problem (MOD Assist Required)
php msql problem
php mail(); problem... half fixed?
PHP noob problem
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.