include/header questions

Re: include/header questions

Marcus (JumpMan222@aol .com) wrote:
: Hello,

: I am having problems with an include statement. I'm setting a session
: variable flag and then including a file, and in that include file I have
: a check at the top to make sure that the session variable is set,
: otherwise I stop executing and redirect.

: My problem is that this works if I use a relative path to the include
: file, but not if I use the full path. If I use the full path, it does
: not read the session flag as being set, and thus kills the include page.

: So basically...

: // page 1
: $_SESSION['flag'] = "true";
: include("../folder2/page2.php"); // this works
: include("http://localhost/folder2/page2.php"); // this does not work

Your "relative" path is reading the contents of a file directly from the
local file system, whereas your "full path" is asking a web server to
(probably) run a script and send you the results. (Well, it is possible
the web server will send the contents, but since you are accessing your
own files from your own script directory, I doubt that. Instead the
server will try to run the script and return the result, and it is the
result that you are then including into your main script.)

So the two are really very different things.

If you wish to find an include file in a fixed location then you could
simply specify its path as a local file.

include("/this/is/an/absolute/path/folder2/page2.php");

To do this you need to find the full path name of your files on the
server, which is _not_ normally the same as the full path used when you
access them through the web.

Or, yYou could change the file type so that the web server is just sending
you the contents of the script, which is probably what you really want.
I don't think the php include command cares about the file name extension,
as long as the text it receives is valid php then it will use it as php
code, so just rename the file to anything that will make it get returned
as text.


OR, because the server is your own server, then it may be possible for the
"full path" script run and also access the session variables, but to do so
it will have to receive the same session identifiers (as headers or in the
url) that it would receive if a regular browser was accessing it. It will
then use them to find the session file just like a normal php script
might. Presumably you could add then as a query string to the URL of the
include, if there is no other way to control the headers sent with the
include request. Somehow I doubt you really wish to do this.


--

This space not for rent.

Re: include/header questions

Malcolm Dew-Jones wrote:[color=blue]
> Marcus (JumpMan222@aol .com) wrote:
> : Hello,
>
> : I am having problems with an include statement. I'm setting a session
> : variable flag and then including a file, and in that include file I have
> : a check at the top to make sure that the session variable is set,
> : otherwise I stop executing and redirect.
>
> : My problem is that this works if I use a relative path to the include
> : file, but not if I use the full path. If I use the full path, it does
> : not read the session flag as being set, and thus kills the include page.
>
> : So basically...
>
> : // page 1
> : $_SESSION['flag'] = "true";
> : include("../folder2/page2.php"); // this works
> : include("http://localhost/folder2/page2.php"); // this does not work
>
> Your "relative" path is reading the contents of a file directly from the
> local file system, whereas your "full path" is asking a web server to
> (probably) run a script and send you the results. (Well, it is possible
> the web server will send the contents, but since you are accessing your
> own files from your own script directory, I doubt that. Instead the
> server will try to run the script and return the result, and it is the
> result that you are then including into your main script.)
>
> So the two are really very different things.
>
> If you wish to find an include file in a fixed location then you could
> simply specify its path as a local file.
>
> include("/this/is/an/absolute/path/folder2/page2.php");
>
> To do this you need to find the full path name of your files on the
> server, which is _not_ normally the same as the full path used when you
> access them through the web.
>
> Or, yYou could change the file type so that the web server is just sending
> you the contents of the script, which is probably what you really want.
> I don't think the php include command cares about the file name extension,
> as long as the text it receives is valid php then it will use it as php
> code, so just rename the file to anything that will make it get returned
> as text.
>
>
> OR, because the server is your own server, then it may be possible for the
> "full path" script run and also access the session variables, but to do so
> it will have to receive the same session identifiers (as headers or in the
> url) that it would receive if a regular browser was accessing it. It will
> then use them to find the session file just like a normal php script
> might. Presumably you could add then as a query string to the URL of the
> include, if there is no other way to control the headers sent with the
> include request. Somehow I doubt you really wish to do this.
>
>
> --
>
> This space not for rent.[/color]


Malcolm,

Thank you for the reply. Please correct me if I am wrong, but to
summarize, it is ok (i.e. not a security vulnerability) to use relative
path names (with respect to the folder the page calling the include
resides in)? (i.e. the method that I reported working)

With regard to my second question, does anyone know if not specifying a
full absolute path in a header location call has any drawbacks?
Security flaws, weird behavior, etc.

Thanks again.