0

I have a main page that does some authentication processing and then when finished redirects using header redirect. All was working well until I recently updated one of the includes to carry a variable. see below.

        <?php
        session_start();
        include "globalvariables.php";
include "../../includes/databaseconnections/$schoolName/database_connection.php";

I was having no problems until I added $schoolName to the string. I needed this for our automated replication system (lets users copy the page and database with a different schoolName for different customers)

Here is the included file. pretty simple.

<?php
$schoolName = "fakeschoolname";
?>

I am not understanding how headers are already being sent, unless $schoolName is actually outputting invisible, non server side data. Does anyone have any suggestions or ideas on how to remedy this? Or is there a better way to dynamically copy and edit pages?

Robert Dickey
  • 816
  • 14
  • 35
  • 1
    You really don't want to do this in the first place. Not unless you *carefully* check the `$schoolName` variable before using it to include a file. Doing it like this makes you vulnerable to something know as *File inclusion attacks*. If the user modifies the variable they can basicly force your server to include files it's not supposed to. Like perhaps php files uploaded to your server somewhere else. – icecub Aug 21 '16 at 00:05
  • Well, what is a better way to allow me to duplicate sites on the fly? should it just be a manual process? – Robert Dickey Aug 21 '16 at 00:06
  • 2
    I was about to edit your question to fix the indentation in the code block, but if that's how it is in your actual code, that could be the problem. Do you actually have spaces before ` – Don't Panic Aug 21 '16 at 00:11
  • It depends on where `$schoolName` comes from. Like is it an internal variable? Or can it be modified by the user? Like does it come from a POST or GET request header or just an internal file? – icecub Aug 21 '16 at 00:11
  • as queried by @Don'tPanic - blankspace before anything counts as html content and will muck up certain php functions – Professor Abronsius Aug 21 '16 at 00:13
  • No blank spaces the indention is accidental. - the include works if I remove the $schoolName with the hardcoded name, AND remove the include globalvariables.php. The variable will be editable by users, but I am just trying to test it hard coded right now. No get or post. the variable is from the included file. – Robert Dickey Aug 21 '16 at 00:29

2 Answers2

1

Check if you have a file named "../../includes/databaseconnections/fakeschoolname/database_connection.php". PHP warnings might be causing the problems if the file doesn't exist

Peter Chaula
  • 3,456
  • 2
  • 28
  • 32
  • I do - The include works on other pages that access the file and do not redirect. It seems to be specifically with the included file, or the fact that there is a variable. I can hard code the variable and remove the included file globalvariables file and it works. – Robert Dickey Aug 21 '16 at 00:03
  • I don't know what system you 're running but you can try ${schoolName} and starting the path with "./" – Peter Chaula Aug 21 '16 at 00:17
0

I figured out the problem, and it nearly drove me insane. The problem was caused by two blank lines AFTER the closing of my PHP tag in the globalVariable.php file.

It should have been as shown in my question, but I noticed in my IDE I had two extra blank spaces AFTER. 

<?php
$schoolName = "fakeschoolname";
?>
BLANKLINE
BLANKLINE

I found another post How to fix "Headers already sent" error in PHP that explained that PHP will only clear out one line of blank space. Because I was including the file, and it had two blank spaces before the header redirect. That is what was causing it to fail.

Community
  • 1
  • 1
Robert Dickey
  • 816
  • 14
  • 35