PDA

Click to See Complete Forum and Search --> : Problem with file, file_get_contents and include in PHP 5

Debbie-Leigh
January 27th, 2008, 01:54 PM
Hi,

My websites have just been moved to a PHP 5/MySql 5 server, which has caused some of my code to stop working.

With file and file_get_contents, I get a message saying that the file couldn't be found, using this code:

$aRet = file("http://myothersubdomain/path/to/file/file.php")

The file definitely exists and can be called from my browser, but file doesn't seem to be able to find it under php5.

With include, I have a file that I include into a script and the file also has an include within it. The file itself is included, but the include within the file is not. It seems to be executed, but nothing replaces it.

The first file is:

<html>
<head>
<title>Download Login</title>
<meta name="Keywords" content="download,login" />
<meta name="Description" content="Download Login" />
<meta http-equiv="robots" content="noindex, nofollow" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Content-Language" content="en-us" />
<link href="http://myothersubdomain/path/to/file/css.php" rel="stylesheet" type="text/css" />
<script language="JavaScript1.2" type="text/javascript" src="js/constants.js.php"></script>
</head>
<body background="http://myothersubdomain/images/bg.jpg">
<table width="750" align="center" valign="top" cellpadding="0" cellspacing="0" class="page-border">
<tr><td align="center">
<img name="imghdr" src="http://myothersubdomain/images/hdr.gif" width="750" height="100" border="0" />

<table width="100%" align="center" valign="top" border="0" cellpadding="10" cellspacing="0" class="bg-page">
<tr><td valign=top>
<h1>Download Login</h1>
<?php $booShowFieldset = TRUE; ?><?php include("http://myotherdomain/path/to/file/myfile.htm"); ?>
</td></tr></table>
<?php include("http://myothersubdomain/path/to/file/myfile2.htm"); ?>
</td></tr></table>
</body>
</html>

The code that executes it is:

$strEvalFilename = "/home/path/to/file/myincludefile.php";
ob_start();
include($strEvalFilename);
$strEvalText = ob_get_clean();
The result is:

<html>
<head>
<title>Download Login</title>
<meta name="Keywords" content="download,login" />
<meta name="Description" content="Download Login" />
<meta http-equiv="robots" content="noindex, nofollow" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Content-Language" content="en-us" />
<link href="http://myothersubdomain/path/to/file/css.php" rel="stylesheet" type="text/css" />
<script language="JavaScript1.2" type="text/javascript" src="js/constants.js.php"></script>
</head>
<body background="http://myothersubdomain/images/dpp-bg.jpg">
<table width="750" align="center" valign="top" cellpadding="0" cellspacing="0" class="page-border">
<tr><td align="center">
<img name="imghdr" src="http://myothersubdomain/images/hdr.gif" width="750" height="100" border="0" />

<table width="100%" align="center" valign="top" border="0" cellpadding="10" cellspacing="0" class="bg-page">
<tr><td valign=top>
<h1>Download Login</h1>
</td></tr></table>
</td></tr></table>
</body>
</html>

Could anyone tell me whether these statements have changed in the way they operate in php5 that would cause this behaviour and what I can do to fix it? All 3 statements have worked fine in php4 and nothing changed code-wise before or after the migration to php5.

Debbie
PeejAvery
January 28th, 2008, 07:45 AM
There should be no different between PHP4 and PHP5 in these calls. In fact, I use them every day in both. Are there any logs of this in the PHP error log? If so, that would help you to get a better background of the reason for failure.
Debbie-Leigh
January 28th, 2008, 07:17 PM
Hi PeejAvery,

I've spotted that my hoster has allow_url_fopen on and allow_url_include off.

I'm not sure whether this is the culprit, but I've spoken to them about it and they say that they would rather keep it off for security reasons. Their explanation was:

Is it absolutely necessary to allow a url open?

1) if the server that it is trying to download from is down, and there are hits coming to the site that includes the file, the apache server that runs the script will crash.

2) it allows hackers to use poorly written scripts to include their own urls which allows them to execute arbitrary code.


The first reason may not be a problem, as both sub-domains would always be running on the same server, so if one is down, both will be.

In your experience, how true would the second reason be and how much of a real threat would this actually be?

If this is a valid enough reason, would you know of another way of including files within other files, when they reside on another sub-domain, that wouldn't violate these security concerns?

Debbie
PeejAvery
January 28th, 2008, 09:34 PM
Those don't directly come into play from what you mentioned in the first post. Those are configurations for include(), include_once(), require(), require_once() and the fopen wrapper functions.
Debbie-Leigh
February 5th, 2008, 07:33 PM
Hi,

FYI, for anyone with a similar problem. I solved this problem by asking my hoster to switch allow_url_include on and everything is working again.

Debbie