| Re: Repetetive code question [message #179653 is a reply to message #179648] |
Thu, 15 November 2012 20:06   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>> Shake wrote:
>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> following php code to get the file contents:
>>>> [
>>>> <?php
>>>> $mymenu=file_get_contents('menu.txt');
>>>> echo $mymenu;
>>>> ?>
>>>> ]
>>>> Everthing works fine but is this good practice and is there a better
>>>> way.
>>>
>>> if the content of 'menu.txt' is HTML... the filename should be
>>> 'menu.html'.
>>
>> And the variable is superfluous (except perhaps for debugging):
>>
>> <?php
>> echo file_get_contents('menu.txt');
>> ?>
>>
>>> What you are doing is an include... you can do this way:
>>>
>>> <?
>>> include('menu.txt');
>>> ?>
>>
>> That is not equivalent to the above, because with `include' (or
>> `include_once', `require', or `require_once') the content of menu.txt
>> will be parsed (searched for <?php … ?> sections which will then be
>> executed).
>
> So? Actually, it's an advantage. For instance, he may later want to
> add PHP code into the menu. He then would not need to go back and
> change all his existing code.
As I have explained in the part that you did not quote, it can be an
advantage indeed. But if it really is only supposed to be plain text (or
plain markup), using one of the include statements now can easily be a
disadvantage over get_file_contents() or readfile() if the plain text
happens to contain `<?php' or even `<?'. Because what follows will be
parsed as PHP until `?>' no matter if that was intended.
I strongly suspect this is but an example (it reads like homework). If the
file in question is actually user-specified, using an include statement like
this instead of file_get_contents() or readfile() would allow for code
injection and potentially a cross-site scripting (XSS) attack on this
application or website. If the PHP section feature is to be leveraged
later, the statement can still be modified to use an include statement
later, after it has been ensured that code injection and XSS are not
possible.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]