What if included file is not there?

Forum Moderators: coopster

Message Too Old, No Replies

What if included file is not there?

PHP include question

katana_one

3:53 pm on May 29, 2008 (gmt 0)

I am coding a php template and in the main body area I am loading the page content via

<?php include "$page"; ?>

But how do I check to see if the variable actually included a valid file name (and if the file name wasn't valid, display a message staging so)?

Right now, it all works except if the requested file ("$page") isn't there - then it just displays the template with no content.

WesleyC

4:24 pm on May 29, 2008 (gmt 0)

[php.net...]

That should give you what you need. :)

eelixduppy

4:47 pm on May 29, 2008 (gmt 0)

You must be careful with the approach you are using. Since you are including just a variable $page, that could literally be anything, especially if register globals and allow_url_fopen are on. This is a great vulnerability in your script and can lead to many different things that you don't want.

Since I am paranoid when it comes to security, I don't let the include parameter be variable, so I would do something like the following:


switch($page) {
#
case 'products.html':
include '/content/products.html';
$page_title = 'Our Products';
break;
#
case 'contact_us.html':
include '/content/contact_us.html';
$page_title = 'Contact Us';
break;
#
default:
include '/content/home.html'
$page_title = 'Home Page';
break;
}

katana_one

2:41 pm on May 30, 2008 (gmt 0)

WesleyC:
Thanks for the link, but I realize now that I wasn't clear in my original request. I need to check if the file actually exists. "file_exists" is actually what I ended up using. But I would not have found it without your link, so thanks again.

eelixduppy:
Not sure I follow your example, since I'm a complete n00b with PHP, but wouldn't this require me to include a case for every page on the site? There are dozens of pages currently and I expect the client to continue to add content, so it doesn't seem practical to me. Regardless, thanks for the response - it gives me something to think about for future reference.

d40sithui

3:05 pm on May 30, 2008 (gmt 0)

lol i just realized i've been reading your name wrong. i always go on here and see "eelixPuppy", but its actually with a "d". eelix i understand you completety. i ALWAYS use static values in include parameters.
katana, yes you'd be better off to hard code every case, especially if you're using includes in them. yes, it's long and boring but in the long run you will save yourself potential trouble. if there are too many to handle, then i suggest a different method.
right now it looks like you're using static html pages and loading them with php - hence your comment with clients continuing to "add content". have you tried storing your pages in the database as raw html? in this way, you can retrieve each page with its own id from the table and display it without using include. furthermore, you will be able to track the page hits.

katana_one

6:31 pm on May 30, 2008 (gmt 0)

Thanks for the reply d40sithui.

In a nutshell, the project is already over-budget so the existing methods will have to do for now (which was simply my tweaking of their previously existing method). It's out of my hands.

But I do appreciate the concerns over security issues.