PHP Tips – Manage correctly file inclusion
In this article we’ll treat a quite simple argument but if badly managed can lead to big problems, the topic is the inclusion of files.
According to my experience I established three golden rules that should be enough; if you come up with other ones, I’ll be glad to talk about it.
1. Include once
Only if strictly needed , it’s always better to specify that we want to execute the inclusion only one time using the commands include_once or require_once.
Let’s do an example to understand why:
The file 1.php contains the definitions of a series of constants.
The files 2.php and 3.php need a few of the constants defined in file 1.php, so we’ll include 1.php in both files.
In the page page.php we need the functions contained in 2.php and 3.php so we will include them.
At this point if in 2.php and 3.php we included 1.php with the command include, in page.php a series of errors at the notice level will raise, because we are trying to define twice the same constants contained in 1.php.
Using include_once we resolve these problems. Therefore we use include and require only when we need to repeat the inclusion.
2. Absolute paths
If we want to include files in a file that in turn will be included, it’s important to do it through absolute paths. Take for example the following structure:
Now the file db_config.php will contain the connection parameters to the database and has to be included in the file db_connect.php that in turn will provide the connection.
However it would be a mistake to include it this way:
The file db_connect.php in fact will be used in index:php, so we should include db_config.php in db_connect.php this way:
But what happens if the file db_connect.php has to be used also by admin.php?
If we want to include files in a file that in turn will be included, we have to do it through absolute paths. Therefore we’ll include db_config.php in db_connect.php in this way:
include_once dirname(__FILE__) . ‘/db_config.php’;
The magic constant __FILE__ returns the absolute path where the file physically resides (different from $_SERVER[‘PHP_SELF’] that returns the path where the file is executed). Therefore with dirname() we pick up only the path.
At this point we only have to add the path of the file we intend to include, in this case it’s in the same folder, so it’s very simple.
This way, in whatever point we’ll go to include db_connect.php, the file db_config.php will be included correctly because taken from its absolute position.
Note: Starting from PHP 5.3 the magic constant __DIR__ has been introduced that is equivalento to:
3. Pay attention to dynamic inclusions
A lot of attention, indeed. This code:
with no adjustments it is equivalent, in terms of security, to a suicide.
To avoid problems, I send you to the very complete guide on security written by Cristian, in particular to this article, at the indirection chapter.
As you see, even for a very simple argument like file inclusion, there’s a lot to say.
L'immagine principale dell'articolo è stata fornita da @Fotolia