FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Repetetive code question
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Repetetive code question [message #179632] Thu, 15 November 2012 07:26 Go to next message
Anonymous
Karma:
Originally posted by: Dynamo

Not sure if this is the right place to ask this question as it is more
an html query than a php one but here goes anyway.

I have a large chunk of html code that is used to build an extensive
drop down menu. The same code is used on all 30 of my web pages. So I
have seperated the code into a txt file called menu.txt and used the
following php code to get the file contents:
[
<?php
$mymenu=file_get_contents('menu.txt');
echo $mymenu;
?>
]
Everthing works fine but is this good practice and is there a better
way.


TIA
Dynamo
Re: Repetetive code question [message #179633 is a reply to message #179632] Thu, 15 November 2012 07:31 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 15/11/12 12:26, Dynamo wrote:
> Not sure if this is the right place to ask this question as it is more
> an html query than a php one but here goes anyway.
>
> I have a large chunk of html code that is used to build an extensive
> drop down menu. The same code is used on all 30 of my web pages. So I
> have seperated the code into a txt file called menu.txt and used the
> following php code to get the file contents:
> [
> <?php
> $mymenu=file_get_contents('menu.txt');
> echo $mymenu;
> ?>
> ]
> Everthing works fine but is this good practice and is there a better
> way.
>
>
Seems a neat way to sidestep an ugly problem.

I make my menus an included PHP file..but that's because they do a bit
more than just spit out static HTML.

> TIA
> Dynamo
>


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
Re: Repetetive code question [message #179634 is a reply to message #179632] Thu, 15 November 2012 07:33 Go to previous messageGo to next message
Shake is currently offline  Shake
Messages: 40
Registered: May 2012
Karma: 0
Member
add to buddy list
ignore all messages by this user
El 15/11/2012 13:26, Dynamo escribió:
> following php code to get the file contents:
> [
> <?php
> $mymenu=file_get_contents('menu.txt');
> echo $mymenu;
> ?>
> ]
> Everthing works fine but is this good practice and is there a better
> way.

if the content of 'menu.txt' is HTML... the filename should be 'menu.html'.

What you are doing is an include... you can do this way:

<?
include('menu.txt');
?>

Rgds.
Re: Repetetive code question [message #179637 is a reply to message #179632] Thu, 15 November 2012 07:47 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/15/2012 7:26 AM, Dynamo wrote:
> Not sure if this is the right place to ask this question as it is more
> an html query than a php one but here goes anyway.
>
> I have a large chunk of html code that is used to build an extensive
> drop down menu. The same code is used on all 30 of my web pages. So I
> have seperated the code into a txt file called menu.txt and used the
> following php code to get the file contents:
> [
> <?php
> $mymenu=file_get_contents('menu.txt');
> echo $mymenu;
> ?>
> ]
> Everthing works fine but is this good practice and is there a better
> way.
>
>
> TIA
> Dynamo
>

Just include() the file.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Repetetive code question [message #179639 is a reply to message #179637] Thu, 15 November 2012 08:21 Go to previous messageGo to next message
Anonymous
Karma:
Originally posted by: Dynamo

On Thu, 15 Nov 2012 07:47:46 -0500, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:


> Just include() the file.

Thanks Jerry. Why didn't I think of that. Doh silly me.
Re: Repetetive code question [message #179643 is a reply to message #179634] Thu, 15 November 2012 10:21 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Shake wrote:

> El 15/11/2012 13:26, Dynamo escribió:
>> following php code to get the file contents:
>> [
>> <?php
>> $mymenu=file_get_contents('menu.txt');
>> echo $mymenu;
>> ?>
>> ]
>> Everthing works fine but is this good practice and is there a better
>> way.
>
> if the content of 'menu.txt' is HTML... the filename should be
> 'menu.html'.

And the variable is superfluous (except perhaps for debugging):

<?php
echo file_get_contents('menu.txt');
?>

> What you are doing is an include... you can do this way:
>
> <?
> include('menu.txt');
> ?>

That is not equivalent to the above, because with `include' (or
`include_once', `require', or `require_once') the content of menu.txt will
be parsed (searched for <?php … ?> sections which will then be executed).

[I had stumbled over that difference while writing a code compactor for
ECMAScript-based scripts and Cascading Style-Sheets. It turned out that
some of the stylesheets contained `<?' verbatim intentionally (property
values were generated by PHP), and one test ECMAScript-based script
contained it by accident in a regular expression. Because the compactor
(PointedEars' Resource Builder) had to be able to process those resources
even with short_open_tag=1, the regular expression in the ECMAScript-based
script had to be split up. See
< http://PointedEars.de/websvn/filedetails.php?repname=JSX&path=%2Ftrunk% 2Fbuilder.php>
for details.]


PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16
Re: Repetetive code question [message #179644 is a reply to message #179632] Thu, 15 November 2012 10:24 Go to previous messageGo to next message
Goran is currently offline  Goran
Messages: 38
Registered: January 2011
Karma: 0
Member
add to buddy list
ignore all messages by this user
On 15.11.2012 13:26, Dynamo wrote:
> Not sure if this is the right place to ask this question as it is more
> an html query than a php one but here goes anyway.
>
> I have a large chunk of html code that is used to build an extensive
> drop down menu. The same code is used on all 30 of my web pages. So I
> have seperated the code into a txt file called menu.txt and used the
> following php code to get the file contents:
> [
> <?php
> $mymenu=file_get_contents('menu.txt');
> echo $mymenu;
> ?>
> ]
> Everthing works fine but is this good practice and is there a better
> way.


This should be:

<?php readfile('menu.html') ?>
Re: Repetetive code question [message #179645 is a reply to message #179632] Thu, 15 November 2012 10:29 Go to previous messageGo to next message
Christoph Becker is currently offline  Christoph Becker
Messages: 91
Registered: June 2012
Karma: 0
Member
add to buddy list
ignore all messages by this user
<Dynamo> wrote:
> [
> <?php
> $mymenu=file_get_contents('menu.txt');
> echo $mymenu;
> ?>
> ]
> Everthing works fine but is this good practice and is there a better
> way.

The equivalent to echo file_get_contents('filename') is
readfile('filename'). The benefit over file_get_contents() is, that it
doesn't need to load the complete file into memory. The benefit over
include() & al. is, that it's faster, as the file doesn't have to be parsed.

--
Christoph M. Becker
Re: Repetetive code question [message #179646 is a reply to message #179644] Thu, 15 November 2012 10:36 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Goran wrote:

> On 15.11.2012 13:26, Dynamo wrote:
>> Not sure if this is the right place to ask this question as it is more
>> an html query than a php one but here goes anyway.
>>
>> I have a large chunk of html code that is used to build an extensive
>> drop down menu. The same code is used on all 30 of my web pages. So I
>> have seperated the code into a txt file called menu.txt and used the
>> following php code to get the file contents:
>> [
>> <?php
>> $mymenu=file_get_contents('menu.txt');
>> echo $mymenu;
>> ?>
>> ]
>> Everthing works fine but is this good practice and is there a better
>> way.
>
> This should be:
>
> <?php readfile('menu.html') ?>

How do you know this is not an example and they want to process the file
contents before writing it to the standard output?

And there appear to be issues with readfile(), enabled output buffering and
large files or slow connections. Not so with file_get_contents();

<http://php.net/readfile>
<http://php.net/file_get_contents>


PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
Re: Repetetive code question [message #179648 is a reply to message #179643] Thu, 15 November 2012 11:18 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
> Shake wrote:
>
>> El 15/11/2012 13:26, Dynamo escribió:
>>> following php code to get the file contents:
>>> [
>>> <?php
>>> $mymenu=file_get_contents('menu.txt');
>>> echo $mymenu;
>>> ?>
>>> ]
>>> Everthing works fine but is this good practice and is there a better
>>> way.
>>
>> if the content of 'menu.txt' is HTML... the filename should be
>> 'menu.html'.
>
> And the variable is superfluous (except perhaps for debugging):
>
> <?php
> echo file_get_contents('menu.txt');
> ?>
>
>> What you are doing is an include... you can do this way:
>>
>> <?
>> include('menu.txt');
>> ?>
>
> That is not equivalent to the above, because with `include' (or
> `include_once', `require', or `require_once') the content of menu.txt will
> be parsed (searched for <?php … ?> sections which will then be executed).
>

So? Actually, it's an advantage. For instance, he may later want to
add PHP code into the menu. He then would not need to go back and
change all his existing code.

>
>
> PointedEars
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Repetetive code question [message #179653 is a reply to message #179648] Thu, 15 November 2012 15:06 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Jerry Stuckle wrote:

> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>> Shake wrote:
>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> following php code to get the file contents:
>>>> [
>>>> <?php
>>>> $mymenu=file_get_contents('menu.txt');
>>>> echo $mymenu;
>>>> ?>
>>>> ]
>>>> Everthing works fine but is this good practice and is there a better
>>>> way.
>>>
>>> if the content of 'menu.txt' is HTML... the filename should be
>>> 'menu.html'.
>>
>> And the variable is superfluous (except perhaps for debugging):
>>
>> <?php
>> echo file_get_contents('menu.txt');
>> ?>
>>
>>> What you are doing is an include... you can do this way:
>>>
>>> <?
>>> include('menu.txt');
>>> ?>
>>
>> That is not equivalent to the above, because with `include' (or
>> `include_once', `require', or `require_once') the content of menu.txt
>> will be parsed (searched for <?php … ?> sections which will then be
>> executed).
>
> So? Actually, it's an advantage. For instance, he may later want to
> add PHP code into the menu. He then would not need to go back and
> change all his existing code.

As I have explained in the part that you did not quote, it can be an
advantage indeed. But if it really is only supposed to be plain text (or
plain markup), using one of the include statements now can easily be a
disadvantage over get_file_contents() or readfile() if the plain text
happens to contain `<?php' or even `<?'. Because what follows will be
parsed as PHP until `?>' no matter if that was intended.

I strongly suspect this is but an example (it reads like homework). If the
file in question is actually user-specified, using an include statement like
this instead of file_get_contents() or readfile() would allow for code
injection and potentially a cross-site scripting (XSS) attack on this
application or website. If the PHP section feature is to be leveraged
later, the statement can still be modified to use an include statement
later, after it has been ensured that code injection and XSS are not
possible.


PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
Re: Repetetive code question [message #179654 is a reply to message #179653] Thu, 15 November 2012 16:20 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>> Shake wrote:
>>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> > following php code to get the file contents:
>>>> > [
>>>> > <?php
>>>> > $mymenu=file_get_contents('menu.txt');
>>>> > echo $mymenu;
>>>> > ?>
>>>> > ]
>>>> > Everthing works fine but is this good practice and is there a better
>>>> > way.
>>>>
>>>> if the content of 'menu.txt' is HTML... the filename should be
>>>> 'menu.html'.
>>>
>>> And the variable is superfluous (except perhaps for debugging):
>>>
>>> <?php
>>> echo file_get_contents('menu.txt');
>>> ?>
>>>
>>>> What you are doing is an include... you can do this way:
>>>>
>>>> <?
>>>> include('menu.txt');
>>>> ?>
>>>
>>> That is not equivalent to the above, because with `include' (or
>>> `include_once', `require', or `require_once') the content of menu.txt
>>> will be parsed (searched for <?php … ?> sections which will then be
>>> executed).
>>
>> So? Actually, it's an advantage. For instance, he may later want to
>> add PHP code into the menu. He then would not need to go back and
>> change all his existing code.
>
> As I have explained in the part that you did not quote, it can be an
> advantage indeed. But if it really is only supposed to be plain text (or
> plain markup), using one of the include statements now can easily be a
> disadvantage over get_file_contents() or readfile() if the plain text
> happens to contain `<?php' or even `<?'. Because what follows will be
> parsed as PHP until `?>' no matter if that was intended.
>
> I strongly suspect this is but an example (it reads like homework). If the
> file in question is actually user-specified, using an include statement like
> this instead of file_get_contents() or readfile() would allow for code
> injection and potentially a cross-site scripting (XSS) attack on this
> application or website. If the PHP section feature is to be leveraged
> later, the statement can still be modified to use an include statement
> later, after it has been ensured that code injection and XSS are not
> possible.
>
>
> PointedEars
>

OK, pray tell - how is a hacker going to initiate a code injection
attack without access to the file system to modify (or replace) the
included file? And if the hacker has access to the file system, what
difference does it make what method the op uses?

And exactly how many files do you think include <?php unless they are
php files? None I've ever seen. They *might* have <?, but that's not a
problem if you disable short_open_tags (as recommended).

As for modifying the statement later - why do you think he wants an
include file? Maybe because this file will be used in many different
pages on his web site - and he'd have to ensure he changes *every one of
them*.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Repetetive code question [message #179655 is a reply to message #179646] Fri, 16 November 2012 03:11 Go to previous messageGo to next message
Goran is currently offline  Goran
Messages: 38
Registered: January 2011
Karma: 0
Member
add to buddy list
ignore all messages by this user
On 15.11.2012 16:36, Thomas 'PointedEars' Lahn wrote:
> Goran wrote:
>
>> On 15.11.2012 13:26, Dynamo wrote:
>>> Not sure if this is the right place to ask this question as it is more
>>> an html query than a php one but here goes anyway.
>>>
>>> I have a large chunk of html code that is used to build an extensive
>>> drop down menu. The same code is used on all 30 of my web pages. So I
>>> have seperated the code into a txt file called menu.txt and used the
>>> following php code to get the file contents:
>>> [
>>> <?php
>>> $mymenu=file_get_contents('menu.txt');
>>> echo $mymenu;
>>> ?>
>>> ]
>>> Everthing works fine but is this good practice and is there a better
>>> way.
>>
>> This should be:
>>
>> <?php readfile('menu.html') ?>
>
> How do you know this is not an example and they want to process the file
> contents before writing it to the standard output?

How do I know? Because he wrote it (implicitly) - he already
successfully use "file_get_contents" (this function does not process
local files) + his menu template is called ".txt".

> And there appear to be issues with readfile(), enabled output buffering and
> large files or slow connections. Not so with file_get_contents();

Somehow I don't think simple menu template will cause memory issues.

Guys, stop reinventing the wheel, readfile() is made for this in the
same way as include() is made for including other php skripts.
Re: Repetetive code question [message #179656 is a reply to message #179655] Fri, 16 November 2012 05:24 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Goran wrote:

> On 15.11.2012 16:36, Thomas 'PointedEars' Lahn wrote:
>> Goran wrote:
>>> On 15.11.2012 13:26, Dynamo wrote:
>>>> Not sure if this is the right place to ask this question as it is more
>>>> an html query than a php one but here goes anyway.
>>>>
>>>> I have a large chunk of html code that is used to build an extensive
>>>> drop down menu. The same code is used on all 30 of my web pages. So I
>>>> have seperated the code into a txt file called menu.txt and used the
>>>> following php code to get the file contents:
>>>> [
>>>> <?php
>>>> $mymenu=file_get_contents('menu.txt');
>>>> echo $mymenu;
>>>> ?>
>>>> ]
>>>> Everthing works fine but is this good practice and is there a better
>>>> way.
>>>
>>> This should be:
>>>
>>> <?php readfile('menu.html') ?>
>>
>> How do you know this is not an example and they want to process the file
>> contents before writing it to the standard output?
>
> How do I know? Because he wrote it (implicitly) - he already
> successfully use "file_get_contents" (this function does not process
> local files) + his menu template is called ".txt".

You are overlooking the possibility that `echo $mymenu;' is not the next
statement.

>> And there appear to be issues with readfile(), enabled output buffering
>> and large files or slow connections. Not so with file_get_contents();
>
> Somehow I don't think simple menu template will cause memory issues.

You are jumping to conclusions again.

> Guys, stop reinventing the wheel, readfile() is made for this in the
> same way as include() is made for including other php skripts.

readfile() is made for this if, and only if, the file content should be
written verbatim to the standard output and none of the mentioned issues
arise. Your ignoring them does not make the possibilities disappear.


PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
Re: Repetetive code question [message #179670 is a reply to message #179653] Sat, 17 November 2012 08:54 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>> Shake wrote:
>>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> > following php code to get the file contents:
>>>> > [
>>>> > <?php
>>>> > $mymenu=file_get_contents('menu.txt');
>>>> > echo $mymenu;
>>>> > ?>
>>>> > ]
>>>> > Everthing works fine but is this good practice and is there a better
>>>> > way.
>>>>
>>>> if the content of 'menu.txt' is HTML... the filename should be
>>>> 'menu.html'.
>>>
>>> And the variable is superfluous (except perhaps for debugging):
>>>
>>> <?php
>>> echo file_get_contents('menu.txt');
>>> ?>
>>>
>>>> What you are doing is an include... you can do this way:
>>>>
>>>> <?
>>>> include('menu.txt');
>>>> ?>
>>>
>>> That is not equivalent to the above, because with `include' (or
>>> `include_once', `require', or `require_once') the content of menu.txt
>>> will be parsed (searched for <?php … ?> sections which will then be
>>> executed).
>>
>> So? Actually, it's an advantage. For instance, he may later want to
>> add PHP code into the menu. He then would not need to go back and
>> change all his existing code.
>
> As I have explained in the part that you did not quote, it can be an
> advantage indeed. But if it really is only supposed to be plain text (or
> plain markup), using one of the include statements now can easily be a
> disadvantage over get_file_contents() or readfile() if the plain text
> happens to contain `<?php' or even `<?'. Because what follows will be
> parsed as PHP until `?>' no matter if that was intended.
>
> I strongly suspect this is but an example (it reads like homework). If the
> file in question is actually user-specified, using an include statement like
> this instead of file_get_contents() or readfile() would allow for code
> injection and potentially a cross-site scripting (XSS) attack on this
> application or website. If the PHP section feature is to be leveraged
> later, the statement can still be modified to use an include statement
> later, after it has been ensured that code injection and XSS are not
> possible.
>
>
> PointedEars
>

I'm still waiting for your explanation as to how an include statement
would allow for code injection. This is a very serious claim - it
leaves millions of web sites around the world open for this type of attack.

Or are you just showing your ignorance again?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Repetetive code question [message #179688 is a reply to message #179654] Sat, 17 November 2012 22:53 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
Jerry Stuckle wrote:

> On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
>> Jerry Stuckle wrote:
>>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>>> Shake wrote:
>>>> > El 15/11/2012 13:26, Dynamo escribió:
>>>> >> following php code to get the file contents:
>>>> >> [
>>>> >> <?php
>>>> >> $mymenu=file_get_contents('menu.txt');
>>>> >> echo $mymenu;
>>>> >> ?>
>>>> >> ]
>>>> >> Everthing works fine but is this good practice and is there a better
>>>> >> way.
>>>> >
>>>> > if the content of 'menu.txt' is HTML... the filename should be
>>>> > 'menu.html'.
>>>>
>>>> And the variable is superfluous (except perhaps for debugging):
>>>>
>>>> <?php
>>>> echo file_get_contents('menu.txt');
>>>> ?>
>>>>
>>>> > What you are doing is an include... you can do this way:
>>>> >
>>>> > <?
>>>> > include('menu.txt');
>>>> > ?>
>>>>
>>>> That is not equivalent to the above, because with `include' (or
>>>> `include_once', `require', or `require_once') the content of menu.txt
>>>> will be parsed (searched for <?php … ?> sections which will then be
>>>> executed).
>>>
>>> So? Actually, it's an advantage. For instance, he may later want to
>>> add PHP code into the menu. He then would not need to go back and
>>> change all his existing code.
>>
>> As I have explained in the part that you did not quote, it can be an
>> advantage indeed. But if it really is only supposed to be plain text (or
>> plain markup), using one of the include statements now can easily be a
>> disadvantage over get_file_contents() or readfile() if the plain text
>> happens to contain `<?php' or even `<?'. Because what follows will be
>> parsed as PHP until `?>' no matter if that was intended.
>>
>> I strongly suspect this is but an example (it reads like homework). If
>> the file in question is actually user-specified, using an include
>> statement like this instead of file_get_contents() or readfile() would
>> allow for code injection and potentially a cross-site scripting (XSS)
>> attack on this
>> application or website. If the PHP section feature is to be leveraged
>> later, the statement can still be modified to use an include statement
>> later, after it has been ensured that code injection and XSS are not
>> possible.
>
> OK, pray tell - how is a hacker going to initiate a code injection
> attack without access to the file system to modify (or replace) the
> included file?

File system access does not need to be direct, and may not even be necessary
if the include's path is based on user input.

> And if the hacker has access to the file system, what
> difference does it make what method the op uses?

They can more easily do more (publicly visible) damage with an include
statement because they do not have to modify the including code. It has
been done before. That is not to say that includes are bad per se, but
then again I have never said that.

> And exactly how many files do you think include <?php unless they are
> php files? None I've ever seen. They *might* have <?, but that's not a
> problem if you disable short_open_tags (as recommended).

I have already mentioned one real case in another posting in this thread,
and even with short_open_tags=0 `<?php … ?>' content will be parsed if in an
include, *no matter what*. You are not paying attention.

> As for modifying the statement later - why do you think he wants an
> include file?

You are imagining things.

> Maybe because this file will be used in many different
> pages on his web site - and he'd have to ensure he changes *every one of
> them*.

Fallacy: Jumping to conclusions.

I think I have fed you enough in this thread.


PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
Re: Repetetive code question [message #179691 is a reply to message #179688] Sun, 18 November 2012 08:38 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/17/2012 10:53 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
>>> Jerry Stuckle wrote:
>>>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>>> > Shake wrote:
>>>> >> El 15/11/2012 13:26, Dynamo escribió:
>>>> >>> following php code to get the file contents:
>>>> >>> [
>>>> >>> <?php
>>>> >>> $mymenu=file_get_contents('menu.txt');
>>>> >>> echo $mymenu;
>>>> >>> ?>
>>>> >>> ]
>>>> >>> Everthing works fine but is this good practice and is there a better
>>>> >>> way.
>>>> >>
>>>> >> if the content of 'menu.txt' is HTML... the filename should be
>>>> >> 'menu.html'.
>>>> >
>>>> > And the variable is superfluous (except perhaps for debugging):
>>>> >
>>>> > <?php
>>>> > echo file_get_contents('menu.txt');
>>>> > ?>
>>>> >
>>>> >> What you are doing is an include... you can do this way:
>>>> >>
>>>> >> <?
>>>> >> include('menu.txt');
>>>> >> ?>
>>>> >
>>>> > That is not equivalent to the above, because with `include' (or
>>>> > `include_once', `require', or `require_once') the content of menu.txt
>>>> > will be parsed (searched for <?php … ?> sections which will then be
>>>> > executed).
>>>>
>>>> So? Actually, it's an advantage. For instance, he may later want to
>>>> add PHP code into the menu. He then would not need to go back and
>>>> change all his existing code.
>>>
>>> As I have explained in the part that you did not quote, it can be an
>>> advantage indeed. But if it really is only supposed to be plain text (or
>>> plain markup), using one of the include statements now can easily be a
>>> disadvantage over get_file_contents() or readfile() if the plain text
>>> happens to contain `<?php' or even `<?'. Because what follows will be
>>> parsed as PHP until `?>' no matter if that was intended.
>>>
>>> I strongly suspect this is but an example (it reads like homework). If
>>> the file in question is actually user-specified, using an include
>>> statement like this instead of file_get_contents() or readfile() would
>>> allow for code injection and potentially a cross-site scripting (XSS)
>>> attack on this
>>> application or website. If the PHP section feature is to be leveraged
>>> later, the statement can still be modified to use an include statement
>>> later, after it has been ensured that code injection and XSS are not
>>> possible.
>>
>> OK, pray tell - how is a hacker going to initiate a code injection
>> attack without access to the file system to modify (or replace) the
>> included file?
>
> File system access does not need to be direct, and may not even be necessary
> if the include's path is based on user input.
>

Who said the include's path is based on user input? The guy wants to
include a fixed menu, for pete's sakes. READ THE QUESTION, STOOPID!

>> And if the hacker has access to the file system, what
>> difference does it make what method the op uses?
>
> They can more easily do more (publicly visible) damage with an include
> statement because they do not have to modify the including code. It has
> been done before. That is not to say that includes are bad per se, but
> then again I have never said that.
>

So what? If the hacker has access to the file system, he can modify
anything. And you did say includes are bad.

>> And exactly how many files do you think include <?php unless they are
>> php files? None I've ever seen. They *might* have <?, but that's not a
>> problem if you disable short_open_tags (as recommended).
>
> I have already mentioned one real case in another posting in this thread,
> and even with short_open_tags=0 `<?php … ?>' content will be parsed if in an
> include, *no matter what*. You are not paying attention.
>

Yup, I read what you said. And you're talking out of your arse, as
usual. Please show me where in any *valid html* you will have "<?php".

>> As for modifying the statement later - why do you think he wants an
>> include file?
>
> You are imagining things.
>

Nope, I am reading his message - unlike you.

>> Maybe because this file will be used in many different
>> pages on his web site - and he'd have to ensure he changes *every one of
>> them*.
>
> Fallacy: Jumping to conclusions.
>
> I think I have fed you enough in this thread.
>
>
> PointedEars
>

Why the hell do you think he wants an include file? From the ops very
first post:

"I have a large chunk of html code that is used to build an extensive
drop down menu. The same code is used on all 30 of my web pages. "

This whole message shows you have either obviously never learned to
read, are speaking with your head up your arse, or both. But then
you're well known for both.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Scrape dynamically generated hyperlinks
Next Topic: PHP 5.5 and Windows XP
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Oct 23 07:39:40 EDT 2017

Total time taken to generate the page: 0.01753 seconds