1

How to print custom error when trying to include/require a php file ?

This was my idea:

<?php 

try{
    include "template/".$_GET['view'].".php"; 
}
catch (Exception $e){
    echo 'some error code'; 
};

?>

But, still I'm getting default error if required file don't exist.

enloz
  • 5,704
  • 9
  • 37
  • 56
  • 2
    Why not check if file exists first before including. If it doesn't exist, output your custom error. – Blake Apr 21 '12 at 18:58
  • The best solution would be using a language with proper error handling. – ThiefMaster Apr 21 '12 at 18:59
  • 3
    You also need to use some sanity checking on `$_GET['view']`. Otherwise someone can use e.g. `view=../../../../somewhere/evil.file%00` to include another file - possibly one uploaded by the user that contains malicious code. – ThiefMaster Apr 21 '12 at 19:00
  • Where did you get this idea? It's true that one can "assume" that an exception will be thrown when something goes wrong, but nowhere in the documentation for `include` does it say that it actually works like that. – Jon Apr 21 '12 at 19:01

6 Answers6

4

Decided the comment was worth changing to answer:

Use file_exists() to see if file exists.

If it does, include, else echo your custom error message.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
Blake
  • 2,294
  • 1
  • 16
  • 24
  • Two words: [race condition](http://stackoverflow.com/questions/34510/what-is-a-race-condition). It's not your fault, but PHP really needs to up its game! – Bailey Parker Apr 21 '12 at 19:14
1

Use file_exists() to check if the file is there before including. That way you can handle the error.

<?php

if(file_exists('asd.php')){
    include "asd.php";
}else{
    echo "Oh no! The file doesn't exist!";
}

?>
Bibhas Debnath
  • 14,559
  • 17
  • 68
  • 96
1

The include errors are not going to be caught by your try/catch, however, I believe that errors inside the included script would be caught correctly. A better solution would be to use the file-exists function, see this post for an example: Optional include in PHP

Once you perform your own verification for the existence for the file you can wrap the executing code in a try catch to ensure errors in that code are caught.

Community
  • 1
  • 1
Shawn Lehner
  • 1,293
  • 7
  • 14
1

I would not recommend using just file_exist. You don't want your visitor to have access to any file on your file-system so I would recommend a white-list; if the file-name is in the white-list, only then display / include it.

jeroen
  • 91,079
  • 21
  • 114
  • 132
1
if ((include "template/".$_GET['view'].".php") != 'OK') {
    echo "My custom error message";
}
KryptoniteDove
  • 1,278
  • 2
  • 16
  • 31
0

If you want your own error Message you can do it like this:

<?php
$file = "template/".$_GET['view'].".php";
if ( error_reporting() == 0 ){
    ( @include_once($file) ) OR die("<tt><p><b>ERROR</b> $file file not found!</p>");
}else{
    require_once($file);
}
?>

So if there is no error reporting (as most time in productiv enviroment) you can print your own Error Message. If you are in Development Mode (ans error_reporting is on) the you get PHP Error Message!

HINT Never use $_GET Input from user direct for an Include - this is a Black XSS Hole :-D

adilbo
  • 910
  • 14
  • 22