Include with variables - why does this work ?

Re: Include with variables - why does this work ?

TMN wrote:
Hi,

We cannot say what statistics.php will do with the contents in the url
because you didn't show any code from that file.

But what you do here is simply creating an URL.
urlencode takes a string and transforms it to a form that can be passed
through a url, as you did.
Nothing more nothing less.

So what happens is:
1) your variable $file contains 'displayInciden ts.php'
2) you echo:
<a href=statistics .php?fileName=$ file&delete=tru e>Delete Incident</a><br/>

where $file gets replaced by the value in $file, so you get:

<a href=statistics .php?fileName=d isplayIncidents .php&delete=tru e>
Delete Incident</a><br/>

This happens because you put a variablename into "", it gets replaced.
If you use '' this will not happen.

consider the following code:
$myvar = "John";
echo "Hi $myVar";
// will produce: Hi John

Regards,
Erwin Moller

Re: Include with variables - why does this work ?

Thanks - I should have include the statistics code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

The include works and finds 'displayInciden ts.php' instead of trying
to find 'displayInciden ts.php&delete=t rue' - is this because I used
urlencode ?

thanks
Tim


Erwin Moller wrote:

Re: Include with variables - why does this work ?

TMN wrote:No, in $_GET['fileName'] is only displayIncident s.php at this point. The
ampersand divides the GET variables. So, $_GET['delete'] == 'true' (the
string true) at this point. If you want to have the
'displayInciden ts.php&delete=t rue' in one GET variable fileName, you should
(raw)urlencode all of it, this means including the & and =.
--
Rik Wasmus

Re: Include with variables - why does this work ?

TMN wrote:

answer: Because it destroys the order of the conversation.
question: Why?
anser: Topposting
question: What is the most annoying thing on Usenet?

No, that is simply because your URL contains a few name-value pairs,
seperated by &.
You extract one of them, as you did, via $_GET["somename"].

The URLencoding only make sure that the value you are posting is valid for
passing around via url.
An example:

[BAD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=$value 1&$name2=$value 2";

This will end up with the following url:
test.php?questi on=How do I pass strange stuff around? (like
this:&%#)&usern ame=Jim Johnson

Which will surely fail.

[GOOD]
$url = "test.php";
// now add a few name/value pair without urlencode:
$name1 = "question";
$value1 = "How do I pass strange stuff around? (like this:&%#)";

$name2 = "username";
$value2 = "Jim Johnson";

$url .= "?$name1=".urle ncode($value1). "&$name2=".urle ndode($value2);

This will end up with an url that replaced all naughty characters with
url-encoded characters tat are OK to use in an url.

Hope that helps.

Regards,
Erwin Moller

Re: Include with variables - why does this work ?


Erwin Moller wrote:
No more top posting for me !!!!!

Thanks for the explanation - in displayIncident s.php I can do this:
$showDelete = $_GET["delete"];
So the php function "include" knows to parse the name-value pairs and
the url ?

thanks
Tim

Re: Include with variables - why does this work ?

TMN wrote:Hear, hear! :-)
The variables are already parsed at the beginning. All variables in the
scope the include is called in (so global scope if called in global, the
scope of a function if called in that) are available to the included
script.

Furthermore, the $_GET ($_POST/$_SERVER/$_SESSION/$_REQUEST/$_ENV) are
'superglobals', which means you can access them directly from any point in
the script(s), they're always in scope.
--
Rik Wasmus

Re: Include with variables - why does this work ?

TMN wrote:
PHP takes a query string, e.g. the part after the question mark in:



and splits it up using ampersands (although it can be configured to
use different characters instead/as well) like this:

a=1
b=2
c=3

and then uses these to populate a global array called $_GET, such that:

$_GET['a'] = 1;
$_GET['b'] = 2;
$_GET['c'] = 3;

This $_GET array can now be accessed by "foo.php" and used as it likes.
(foo.php is also able to access the raw, unprocessed query string, but
this is not usually very useful.)

In your example, statistics.php sees:

$_GET['fileName'] = 'displayInciden ts.php';
$_GET['delete'] = 'true';

so the following code:

$file=$_GET['fileName'];
echo "Requested File is: ".$file;
include($file);

works.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: Include with variables - why does this work ?


Toby Inkster wrote:
Thanks again that is a very clear explanation...

Tim
South Africa

Re: Include with variables - why does this work ?

TMN wrote:As no one else has pointed it out (though it should be obvious)...

Doing include($file) without any validation of $file would be a big bad
security hole.

Robin

Re: Include with variables - why does this work ?

Robin wrote:
It never even occured to me to include files I did not write myself :P

Validating a file is very difficult, you'll have to check it by hand.
--
Rik Wasmus

Re: Include with variables - why does this work ?

Rik wrote:
Don't validate the file itself -- validate the filename! For example,
check that the filename doesn't include any slashes, backslashes or colons
and you should be sorted.

$file=$_GET['fileName'];
if (preg_match('/[\/\\\:]/', $file))
die("Dirty, rotten scoundrel!");
echo "Requested File is: ".$file;
include($file);

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: Include with variables - why does this work ?

Toby Inkster wrote:DOH! Offcourse that was what was meant... Haven't used constructions like
this in a while.

I'd whitelist the filename, but this would work also offcourse.
--
Rik Wasmus