OT. Windows server paths and PHP includes


D

dorayme

For many web sites hosted on Unix servers I use (happily) a
construction like this for includes:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?

It sort of spoils the point to be tailoring each path to where
the html file happens to be with "../"s (which, of course,
"works").

I know, I have wondered about this before and never really got
anywhere. Seem unable to have used any previous remarks to
advantage or have now forgotten them.
 
Ad

Advertisements

A

Adrienne Boswell

Gazing into my crystal ball I observed dorayme
For many web sites hosted on Unix servers I use (happily) a
construction like this for includes:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?

It sort of spoils the point to be tailoring each path to where
the html file happens to be with "../"s (which, of course,
"works").

I know, I have wondered about this before and never really got
anywhere. Seem unable to have used any previous remarks to
advantage or have now forgotten them.

It's a security issue, designed to keep attackers from getting to
sensitive files on the file system. In IIS6, parent paths are disabled by
default. The only way to get past it is to get the server admin to
change it.
 
D

dorayme

Adrienne Boswell said:
Gazing into my crystal ball I observed dorayme
For many web sites hosted on Unix servers I use (happily) a
construction like this for includes:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?

It sort of spoils the point to be tailoring each path to where
the html file happens to be with "../"s (which, of course,
"works").

I know, I have wondered about this before and never really got
anywhere. Seem unable to have used any previous remarks to
advantage or have now forgotten them.

It's a security issue, designed to keep attackers from getting to
sensitive files on the file system. In IIS6, parent paths are disabled by
default. The only way to get past it is to get the server admin to
change it.

In fact, although it is a bit of a bore, I have started putting
in the actual paths to the includes into each file on sites I
have on Windows Servers, it is still worth it. At least then, if
I change the includes file, it all happens.

But I am curious. Is there a worrying security issue with the
"global" method of doing what I do on Unix servers? i.e.:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

?

The includes folder is just at the level of the main home page
file (index.html ... this is usually the public_html level,
yes?), no higher or more unreachable.

And supposing I did ask the Windows server people to enable me to
globally specify a folder at the public_html level, I am curious:
what expression would I then use to specify the path, the same as
with the Unix server expression above or something rather
different?
 
B

BootNic

dorayme said:
news: (e-mail address removed) [snip]
But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?
[snip]
Check and see if you have a include path set.

<?php
echo ini_get('include_path');
/* .;K:\PHP\PEAR-1.5.4\pear;J:\apache\include */
?>

The include path I use is J:\apache\include

I put include files in that folder and then use:
<?php include 'my.file' ?>

No matter where the php files are located it always includes my.file

With a little luck this may work for your Windows server

--
BootNic Sunday, June 17, 2007 9:04 PM

Assert your right to make a few mistakes. If people can't accept your
imperfections, that's their fault.
*Dr. David M. Burns*
 
D

dorayme

news: (e-mail address removed) [snip]
But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?
[snip]
Check and see if you have a include path set.

<?php
echo ini_get('include_path');
/* .;K:\PHP\PEAR-1.5.4\pear;J:\apache\include */
?>

The include path I use is J:\apache\include

I put include files in that folder and then use:
<?php include 'my.file' ?>

No matter where the php files are located it always includes my.file

With a little luck this may work for your Windows server[/QUOTE]

On this particular problem it is an external server, owned by a
big popular ISP and is host for a company site. Meaning it is not
under my direct control.

I put a test html page up, with your

<?php
echo ini_get('include_path');
?>

on it and got back:

..;e:\php

This a clue to fashioning a "global" path address? What now?

(I tried various things with this but I feel like a monkey on a
typewriter. I suppose I could ask the ISP administrators what
path would always work? But ever tried communicating with big
ISPs? In a way, it is not the end of the world as I can just
ensure the paths are tailored to where the html files concerned
are. Seems a little inelegant though!)
 
A

Adrienne Boswell

Gazing into my crystal ball I observed dorayme
Adrienne Boswell said:
Gazing into my crystal ball I observed dorayme
For many web sites hosted on Unix servers I use (happily) a
construction like this for includes:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

But this does not work on Windows servers. Does anyone know a
likely other candidate expression that will tell the server to go
to the level at which I have the site index file and look inside
a folder called 'includes'? No matter where it appears deep
inside the website directories?

It sort of spoils the point to be tailoring each path to where
the html file happens to be with "../"s (which, of course,
"works").

I know, I have wondered about this before and never really got
anywhere. Seem unable to have used any previous remarks to
advantage or have now forgotten them.

It's a security issue, designed to keep attackers from getting to
sensitive files on the file system. In IIS6, parent paths are
disabled by default. The only way to get past it is to get the
server admin to change it.

In fact, although it is a bit of a bore, I have started putting
in the actual paths to the includes into each file on sites I
have on Windows Servers, it is still worth it. At least then, if
I change the includes file, it all happens.

Problem comes in when you have:

httpdocs
httpdocs/somefolder

and you want to go from somefolder to httpdocs. Windows has a fit.
But I am curious. Is there a worrying security issue with the
"global" method of doing what I do on Unix servers? i.e.:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

?

Probably not, since that global method points to the folder where the site
is configured.
The includes folder is just at the level of the main home page
file (index.html ... this is usually the public_html level,
yes?), no higher or more unreachable.

That's the way it's _supposed_ to work. Probably something like SQL
injection, if you can get the server to send a little information about
itself, you could get to other areas.
And supposing I did ask the Windows server people to enable me to
globally specify a folder at the public_html level, I am curious:
what expression would I then use to specify the path, the same as
with the Unix server expression above or something rather
different?

Parent paths are enabled on a site by site basis. I would image your code
would be exactly the same thing.
 
Ad

Advertisements

B

BootNic

dorayme said:
news: (e-mail address removed)
I put a test html page up, with your [snip]
on it and got back:

.;e:\php

This a clue to fashioning a "global" path address? What now?
Looks like there is no include_path set that would be of any use to you.
[snip]
Try the following and let me know what happens.
<?php
ini_set('display_errors','On');
while(@ chdir ('.') or die ('Failed to open directory.')){
$tem=getcwd();
@ chdir ('..') or die ('Failed to open directory.');
if($tem==getcwd()){
break;
}
echo getcwd().'<br>';
}
?>
 
D

dorayme

news: (e-mail address removed)
I put a test html page up, with your [snip]
on it and got back:

.;e:\php

This a clue to fashioning a "global" path address? What now?
Looks like there is no include_path set that would be of any use to you.
[snip]
Try the following and let me know what happens.
<?php
ini_set('display_errors','On');
while(@ chdir ('.') or die ('Failed to open directory.')){
$tem=getcwd();
@ chdir ('..') or die ('Failed to open directory.');
if($tem==getcwd()){
break;
}
echo getcwd().'<br>';
}
?>[/QUOTE]

I got "Failed to open directory."
 
B

BootNic

dorayme said:
news: (e-mail address removed)
I got "Failed to open directory."

It's the error I wrote, but should have been Failed to change.

Try the following, don't hold out for anything to happen.

<?php
echo getcwd();
?>

If that does work, you may try to put it in your includes folder and get
the path to your folder.

Else you could try this ugly messy, it may be better then changing it
on each and every page.

<?php
$file="myincludes/h.txt";
if(file_exists($file)){
include($file);
}
else {
$j=0;
$dir="../";
$path="";
while(!$path && file_exists($dir) && $j<100){
if(file_exists($file)){$path=$file;}
else{$file=$dir.$file;}
$j++;
}
include($path);
}
?>
 
D

dorayme

"BootNic said:
It's the error I wrote, but should have been Failed to change.

Try the following, don't hold out for anything to happen.

<?php
echo getcwd();
?>

If that does work, you may try to put it in your includes folder and get
the path to your folder.

Else you could try this ugly messy, it may be better then changing it
on each and every page.

<?php
$file="myincludes/h.txt";
if(file_exists($file)){
include($file);
}
else {
$j=0;
$dir="../";
$path="";
while(!$path && file_exists($dir) && $j<100){
if(file_exists($file)){$path=$file;}
else{$file=$dir.$file;}
$j++;
}
include($path);
}
?>

Well, you are starting to knock me over as in 'with a feather'. I
got a result! I got a path from your code that looked (I have *
some content just for here) like this:

e:\****\****\includes

I then stuck it in my php include code strip:

<? include "e:\*****\*****\includes\footer.inc"; ?>

and lo and behold, the footer appeared exactly as with a
"regular" path like <? include "../includes/footer.inc"; ?>

Now, that was trialled from within a test folder called
"includes" on the server. The big test: will it work if I have
this on a file deep in other directories?

Lemme see...

Well... well... it does work! You did it Bootnic. I am very
impressed.

Last time I named a js script after you (remember, about
centering blocks of floating thumbnails?), it sits on a server
showing off my daughters recent wedding. But what can I do here?
Perhaps a comment in the source code to the effect that viewers
are able to see footers, banners, navigation blocks because of
some crafty probing by Bootnic. (Wonder what the company execs
will think of that if they ever come across it? It is a
commercial site <g>)

Seriously, thanks mate.
 
B

BootNic

dorayme said:
news: (e-mail address removed)
Well, you are starting to knock me over as in 'with a feather'. I
got a result! I got a path from your code that looked (I have *
some content just for here) like this:

e:\****\****\includes [snip]
Seriously, thanks mate.

Your welcome.

Now if you have more then one inclued per page this will be worth your
time as well.

<?php
ini_set('include_path',ini_get('include_path').';e:\*****\*****\includes');
?>

<?php include('head.inc'); ?>
<div>...</div>
<?php include('nav.inc'); ?>
<div>...</div>
<?php include('footer.inc'); ?>
<?php include('copy.inc'); ?>
--
BootNic Monday, June 18, 2007 3:48 AM

All men dream, but not equally. Those who dream by night in the dusty
recesses of their minds, wake in the day to find that it was vanity:
but the dreamers of the day are dangerous men, for they may act on
their dreams with open eyes, to make them possible.
*Thomas Edward Lawrence (of Arabia)*
 
Ad

Advertisements

D

dorayme

"BootNic said:
news: (e-mail address removed)
Well, you are starting to knock me over as in 'with a feather'. I
got a result! I got a path from your code that looked (I have *
some content just for here) like this:

e:\****\****\includes [snip]
Seriously, thanks mate.

Your welcome.

Now if you have more then one inclued per page this will be worth your
time as well.

<?php
ini_set('include_path',ini_get('include_path').';e:\*****\*****\includes');
?>

<?php include('head.inc'); ?>
<div>...</div>
<?php include('nav.inc'); ?>
<div>...</div>
<?php include('footer.inc'); ?>
<?php include('copy.inc'); ?>

O... ok...thanks. Yes, I do have more than one per page and am
planning even more. And I see that this will make it simpler and
neater. Even as I deck out my sites with extensive use of S & R
and GREP, this will make it easier. Have not tested what you say
yet, not that I disbelieve it of course. Just getting tired...
 

Top