Results 1 to 19 of 19
  1. #1
    Join Date
    Feb 2003
    Location
    Connecticut
    Posts
    5,460

    Tutorial: PHP Includes

    PHP includes are a great way to make editing sites easier. By creating a template and replacing the content with this PHP script, it will allow the page to get separate content files, with only the content in them. This is helpful as only one file needs to be changed when the template is edited.

    PHP is generally better than SSI (server-side includes) since it allows for much more to happen. The below script has error-checking, default pages, and other features which SSI is not as well suited for.

    The first thing to understand is how we get the content. The three main functions I like to use are include, require, and file_get_contents. There are other ways, but these three are the most common and appropriate for what we are doing.

    include
    The include function is used to take the exact code from a file. The code is parsed (which means any PHP code in the file will be run), and then placed exactly where the include is (in PHP's memory, this will not change your file.)

    require
    The require function is identical to include. The only difference is that it stops the script's execution if the file does not exist.

    file_get_contents
    The file_get_contents function is most similar to an include. This function does not parse the specified file, making it ideal for scripts only including text. It is also much faster than an include.

    For the following examples, I will be using file_get_contents, since it is more efficient than include, and most cases will not involve files using PHP. I would also like to note that the files may be of any type, so you can include a .dat, .php, .txt, or any file wanted.

    Code so far:
    PHP Code:
        <?php
            file_get_contents
    ('file.txt');
        
    ?>
    Next, we will check if the file being included exists. This eliminates the need to use require, and allows the specification of a default page. The function used is file_exists.

    Code so far:
    PHP Code:
        <?php
            $file 
    'file.txt';
            
    $default 'default.txt';
            if(
    file_exists($file))
            {
                
    file_get_contents($file);
            }
            elseif(
    file_exists($default))
            {
                
    file_get_contents($default);
            }
            else
            {
                echo 
    'Could not find any files!';
            }
        
    ?>
    With the above code, you will notice two file_exists. These check to make sure both the requested and default file exist, and allow for an error message if neither is found.

    Most instances for using this code will require a file to be included based on a variable. We will assume that variable is stored in $_GET['page']. (The URL would look like: index.php?page=info)

    The problem with the above method, is that someone could specify the path to a file containing your passwords, and effectively gain access to your system. To prevent this, I append the file type to the $_GET variable.

    Final Code:
    PHP Code:
        <?php
            $ext 
    '.txt';
            
    $file $_GET['page'].$ext;
            
    $default 'default'.$ext;
            if(
    file_exists($file))
            {
                
    file_get_contents($file);
            }
            elseif(
    file_exists($default))
            {
                
    file_get_contents($default);
            }
            else
            {
                echo 
    'Could not find any files!';
            }
        
    ?>
    Believe it or not, that is all there is to it. This code can safely and efficiently include any file, and allows for a default file if none other if found.
      0 Not allowed!

  2. #2
    Very nice and detailed! Will surely help someone out.
      0 Not allowed!

  3. #3
    Thanks, just what I needed Dan!
      0 Not allowed!

  4. #4
      0 Not allowed!

  5. #5
    Join Date
    Nov 2005
    Posts
    282
    It is important to note that it is sometimes better to use include_once() or require_once() instead of include() and require(). Use include_once() on files that will throw an error if exicuted twice. (For instance files with PHP classes and CONSTANTS)

    Also there is a security hole in the above code. The script there will allow a user to open text files not in the webhosting directory
    for example
    index.php?page=../../../WINDOWS/system32/eula
    on a host using windows
    Code:
    <?php 
            $ext = '.txt'; 
            $file = '../../../WINDOWS/system32/eula'.$ext; 
            $default = 'default'.$ext; 
            if(file_exists($file)) 
            { 
                file_get_contents($file); 
            } 
            elseif(file_exists($default)) 
            { 
                file_get_contents($default); 
            } 
            else 
            { 
                echo 'Could not find any files!'; 
            } 
        ?>
    would give them access to the eula.txt in the windows/system32 assuming that the web host's user has acceptable read permission level (and if the hosting directory is 3 folders from the root otherwise more or less "../" could be added). If you didnt restrict the ext at all they could gain access to a servers configuration files.
      0 Not allowed!

  6. #6
    Join Date
    Sep 2004
    Location
    England UK
    Posts
    127
    great work danx and korvan! keep it up!
    Read Tabloids - Warning Experimental.
      0 Not allowed!

  7. #7
    Join Date
    Feb 2003
    Location
    Connecticut
    Posts
    5,460
    Thanks for the tip Korvan, so here's a fix:
    Replace:
    PHP Code:
    $file $_GET['page'].$ext
    With:
    PHP Code:
    $file ereg_replace('../','',$_GET['page']).$ext
    That will strip out all '../' instances.
      0 Not allowed!

  8. #8
    If it wasn't copied then it's a nice tutorial. If someone is interested in learning then i know a good place where to start. http://www.w3schools.com/php/default.asp.
      0 Not allowed!

  9. #9
    Join Date
    Feb 2003
    Location
    Connecticut
    Posts
    5,460
    I wrote it myself.

    w3schools is okay if you want to dabble in it, but you basically just have to read from a lot of different sources and experiment. php.net's function reference is by far the best resource.
      0 Not allowed!

  10. #10
    Join Date
    Nov 2005
    Posts
    282
    Use str_replace when just replacing strings instead of expressions. str_replace is 5x faster than ereg_replace and 12x faster than preg_replace. Not that a few microseconds will matter in most cases. This is only true on small strings, preg_replace becomes faster on much larger strings, but ereg_replace is always slower.
      0 Not allowed!

  11. #11
    Join Date
    Aug 2010
    Location
    Somerset, UK
    Posts
    62
    Would also recommend using:
    PHP Code:
    <?php
    include_once("inc/sql.php");
    ?>
    This precents the same file being included more than once which becomes a simple mistake to make as your scripts grow.
      0 Not allowed!

  12. #12
    Quote Originally Posted by Dan L View Post
    Thanks for the tip Korvan, so here's a fix:
    Replace:
    PHP Code:
    $file $_GET['page'].$ext
    With:
    PHP Code:
    $file ereg_replace('../','',$_GET['page']).$ext
    That will strip out all '../' instances.
    It's considored bad practice to include files based on user input. At least have an array of allowed files before you do the actual include.
      0 Not allowed!

  13. #13
    Hi,
    I have never seen such a detailed info on tutorials
    thanks for sharing Nice post keep it up
      0 Not allowed!

  14. A better way is to use a switch statement and have all the pages in there:
    PHP Code:
    switch($_GET['page'])
    {
       case 
    'about':
           include(
    "about.php");
           break;
       case 
    'contact':
           include(
    "contact.php");
           break;
       case 
    'home':
       default:
          include(
    "home.php");
          break;

    This way it's not possible to include other files.
      0 Not allowed!

  15. #15
    Join Date
    Jul 2012
    Posts
    30
    Only w3schools contains a very good tutorial for the beginner but to expertise, one should try and experience various tutorials and problems which every site has their uniqueness.
      0 Not allowed!

  16. #16
    nice tuto & recommended to use the $_GET['page'] for security reason
    a simple include can be dangerous
      0 Not allowed!

  17. #17
    very simple and yet useful information, thanks
      0 Not allowed!

  18. #18
    Join Date
    Oct 2012
    Posts
    42
    Ahhh Thanks so much for this thread! Me and my partner have been learning HTML/HTML5/CSS etc... since I can remember now. I have been trying to convert all of our mini projects over to custom PHP templates using PHP includes and some of this information really helped out!
    SiteGone Web Hosting
    Affordable Hosting Solutions
      0 Not allowed!

  19. #19
    Thank you for the tutorial Dan. Not to diminish the value of the above, but just a friendly reminder that a lot has changed in the PHP world since 2005. Make sure you consult the latest sources (including php.net) to ensure you are following current best practices to keep your PHP-based websites secure.


    Alex
      0 Not allowed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •