include()为什么我不应该使用它?

时间:2020-12-21 15:03:32

I am working through an older php mysql book written in 2003. The author uses the include() function to construct html pages by including header.inc, footer.inc, main.inc files, etc. Now I find out that this is not allowed in the default ini settings, (allow_url_include is set to Off) after I got many warnings from the server.

我正在阅读一本2003年写的关于php mysql的旧书。作者使用include()函数通过包含header来构建html页面。公司,页脚。公司,主要。现在我发现在默认的ini设置中不允许这样做(allow_url_include被设置为Off),因为我从服务器上得到了很多警告。

I noticed also that you can use include without the parenthesis. I tried this and it works and I get no error messages or warnings. Are the two different? That is, is include() different from include ?

我还注意到你可以使用不带括号的include。我尝试过这个方法,它很有效,我没有收到错误消息或警告。是两个不同的?也就是说,include()与include不同吗?

4 个解决方案

#1


4  

The use of include() can introduce a Local File Include (LFI) or Remote File Include(RFI) Vulnerably. You should try and avoid using include, for instance if you are including HTML its better to write print(file_get_contents($file)) than include($file). However include()'ing PHP files is necessary in most php applications to reduce code duplication.

include()的使用可以引入本地文件,包括(LFI)或远程文件(RFI)。您应该尽量避免使用include,例如,如果您包含HTML,那么编写print(file_get_contents($file)比include($file)要好。但是,在大多数PHP应用程序中,包含()'ing PHP文件是必要的,以减少代码重复。

Even when remote file inclusion is disabled its still possilbe to exploit the system using an Advanced LFI Attack.

即使禁用了远程文件包含,仍然有可能使用高级LFI攻击来利用系统。

If you do need to accept user input in an include(), then you should make sure its on a white list:

如果您确实需要接受include()中的用户输入,那么您应该确保它在一个白色列表上:

$good_includes=array("contact","home","view");
if(in_array($_GET[page],$good_includes)){
    include("inc/".$_GET[page].".php");
}

#2


16  

This is a misunderstanding. You can turn off the inclusion of remote files (using a URL http://www.example.com/include.php instead of a filesystem path). You can always include local files.

这是一个误解。您可以关闭远程文件的包含(使用URL http://www.example.com/include.php而不是文件系统路径)。您可以始终包含本地文件。

The latter is because include is not a normal function, but a language construct. Like die, it can be used with or without parentheses. Source: Manual

后者是因为include不是一个普通的函数,而是一个语言结构。和die一样,它可以用括号也可以不用括号。来源:手工

Because include() is a special language construct, parentheses are not needed around its argument. Take care when comparing return value.

因为include()是一种特殊的语言结构,所以在它的参数周围不需要括号。在比较回报值时要小心。

#3


0  

Function include is good for dynamic inckuding of files. If we include files in cycle, this very good. But if we include files staticly, we should use require. Second function do in the beginnig of script.

功能包括对文件动态的inckuding。如果我们在循环中包含文件,这很好。但是如果我们静态地包含文件,我们应该使用require。第二个函数在脚本的开头做。

#4


-1  

There's a major difference with include/require_once and require.

包含/require_once和require有很大的不同。

The primary difference is the error reporting, if you use include in your application PHP will attempt to load the file but if it does not exist, it will throw non fatal error (meaning you script will not halt), if you are using require then the script will halt and stop processing.

主要区别是错误报告,如果您在应用程序中使用包括PHP将尝试加载文件,但是如果它不存在,它将把非致命错误(这意味着你脚本不会停止),如果您使用的是需要那么脚本将停止和停止处理。

Use require on files that are fundamental to your application and use include in your templates because if there is an error you can specify not to show the error and thus the user will not know the difference as long as its not a primary template include such as header.php

利用文件基本要求包括在您的应用程序和使用你的模板,因为如果有错误你可以指定不显示错误,因此用户不会知道的区别,只要不是主要包括如header。php的模板

these functions are mainly used on your own server to include files that are relevant to your application.

这些函数主要用于您自己的服务器,以包含与您的应用程序相关的文件。

if you are including files from outside your server then I would use curl if it's installed or file_get_contents().

如果包含来自服务器外部的文件,那么如果安装了curl或file_get_contents(),我将使用curl。

Hope this helps you.

希望这能帮助你。

just a note on require vs require_once, require_once will add logic to make sure that file is not included more than once, ie you don't want to declare your database connection more than once

只需注意一下require和require_once, require_once将添加逻辑,以确保文件不包含超过一次,也就是说,您不希望声明数据库连接超过一次

#1


4  

The use of include() can introduce a Local File Include (LFI) or Remote File Include(RFI) Vulnerably. You should try and avoid using include, for instance if you are including HTML its better to write print(file_get_contents($file)) than include($file). However include()'ing PHP files is necessary in most php applications to reduce code duplication.

include()的使用可以引入本地文件,包括(LFI)或远程文件(RFI)。您应该尽量避免使用include,例如,如果您包含HTML,那么编写print(file_get_contents($file)比include($file)要好。但是,在大多数PHP应用程序中,包含()'ing PHP文件是必要的,以减少代码重复。

Even when remote file inclusion is disabled its still possilbe to exploit the system using an Advanced LFI Attack.

即使禁用了远程文件包含,仍然有可能使用高级LFI攻击来利用系统。

If you do need to accept user input in an include(), then you should make sure its on a white list:

如果您确实需要接受include()中的用户输入,那么您应该确保它在一个白色列表上:

$good_includes=array("contact","home","view");
if(in_array($_GET[page],$good_includes)){
    include("inc/".$_GET[page].".php");
}

#2


16  

This is a misunderstanding. You can turn off the inclusion of remote files (using a URL http://www.example.com/include.php instead of a filesystem path). You can always include local files.

这是一个误解。您可以关闭远程文件的包含(使用URL http://www.example.com/include.php而不是文件系统路径)。您可以始终包含本地文件。

The latter is because include is not a normal function, but a language construct. Like die, it can be used with or without parentheses. Source: Manual

后者是因为include不是一个普通的函数,而是一个语言结构。和die一样,它可以用括号也可以不用括号。来源:手工

Because include() is a special language construct, parentheses are not needed around its argument. Take care when comparing return value.

因为include()是一种特殊的语言结构,所以在它的参数周围不需要括号。在比较回报值时要小心。

#3


0  

Function include is good for dynamic inckuding of files. If we include files in cycle, this very good. But if we include files staticly, we should use require. Second function do in the beginnig of script.

功能包括对文件动态的inckuding。如果我们在循环中包含文件,这很好。但是如果我们静态地包含文件,我们应该使用require。第二个函数在脚本的开头做。

#4


-1  

There's a major difference with include/require_once and require.

包含/require_once和require有很大的不同。

The primary difference is the error reporting, if you use include in your application PHP will attempt to load the file but if it does not exist, it will throw non fatal error (meaning you script will not halt), if you are using require then the script will halt and stop processing.

主要区别是错误报告,如果您在应用程序中使用包括PHP将尝试加载文件,但是如果它不存在,它将把非致命错误(这意味着你脚本不会停止),如果您使用的是需要那么脚本将停止和停止处理。

Use require on files that are fundamental to your application and use include in your templates because if there is an error you can specify not to show the error and thus the user will not know the difference as long as its not a primary template include such as header.php

利用文件基本要求包括在您的应用程序和使用你的模板,因为如果有错误你可以指定不显示错误,因此用户不会知道的区别,只要不是主要包括如header。php的模板

these functions are mainly used on your own server to include files that are relevant to your application.

这些函数主要用于您自己的服务器,以包含与您的应用程序相关的文件。

if you are including files from outside your server then I would use curl if it's installed or file_get_contents().

如果包含来自服务器外部的文件,那么如果安装了curl或file_get_contents(),我将使用curl。

Hope this helps you.

希望这能帮助你。

just a note on require vs require_once, require_once will add logic to make sure that file is not included more than once, ie you don't want to declare your database connection more than once

只需注意一下require和require_once, require_once将添加逻辑,以确保文件不包含超过一次,也就是说,您不希望声明数据库连接超过一次