0

Here is my include file data.php:

<?php
    $name = "Noob";
?>

This file is in my local server as well as my online server.

And here is my code:

<?php
    //include("./data.php");
    //include("http://localhost/webdev/test/php/remote_include/data.php");
    //include("http://example.com/data.php");

    echo "Hello $name.";
?>

Now, in the 3 commented lines, the first line works, and Hello Noob. is printed. But the next 2 lines do not work and Hello . is printed.

Why?

My guess is, when I include using http, the PHP file actually gets run and thus the main script (which calls the include) does not know which variables are set and can only see what PHP prints. Is that correct? If that's the case, say my data.php file (which is in my online server) has top secret database information of my awesome (noob) blog site. So someone cannot just include() my file (using http or any other possible method) and get the database info by echoing the variables?

Sorry if it's too noob of a question and has been asked before.

Improve this question
3
  • It is right there in the docs - "Files are included based on the file path given or, if none is given, the include_path specified. If the file isn't found in the include_path, include will finally check in the calling script's own directory and the current working directory before failing. The include construct will emit a warning if it cannot find a file" Commented Sep 30, 2015 at 17:34
  • @JayBlanchard The file exists, and is included correctly. But the variable $name is not being set in the latter 2 cases. Commented Sep 30, 2015 at 17:39
  • Right, because those paths are not in the include path. Then see @JohnConde's answer below. Commented Sep 30, 2015 at 17:44

2 Answers 2

Reset to default
2

From the manual:

If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

Basically, http://php.net/manual/en/function.include.php needs to be enabled to include files via HTTP. This is usually turned off especially on shared hosts who don't want to eat the bandwidth this would incur.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Where does this need to be turned on? I have this in my php.ini file: allow_url_include = On. Does it also need to be enabled in the online server? How can I check if it is actually disabled in my server so no one can include my data file and echo the variables?
Sorry, I still did not get my answer. The files are being included correctly with http. But the variable $name is not being set. Is it because the script is already pre-processed before it is included and so it is impossible to know what variables were set? I mean, in my example, if data.php is on a web server, is it impossible for anyone outside to get the value of the $name variable?
Look at your setting for allow_url_fopen. That restricts this feature.
It is on in my php.ini file. allow_url_fopen = On and allow_url_include = On
0

Your assumption is correct. Instead, try to work with hashs and predefined passwords (check the hash in data.php)

Improve this answer

3 Comments

Okay, so, say my data.php file is in my web server. Now no one can know that the value of $name is "Noob" by including the file from another server, right? Are you sure?
This is not what I meant and the answer is possibly too long for a comment. I wanted to say, have some password+time=hash from server A and recalculate it on server B (the password is obviously kept secret in the script). This may be one way to prevent simple access to your public url (and thus database content).
Thanks, but sorry, I didn't actually ask how to prevent this, but I am trying to find out if it actually works or not the way I showed in the example. Yes, I am trying to secure an include file, but I am trying to figure out if the security can be exploited like this. I have a way to secure it, but I want to know if it is really necessary. If my assumption in the previous comment is correct, then I don't need to secure the data file. Hope it makes sense.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.