If I include a PHP file from another web server, will it return the output of the PHP file, or the actual contents of the PHP file? My guess is the first one, but can anyone confirm this? Thanks.

Reply

the actual content will be inserted wherever you put the include(). include() is like inserting the content of the file. Take note that both include() and require() functions treats the inserted text from a file as HTML text. Meaning if you want the include() and require() function to insert the text as PHP codes you have to enclose it with the PHP tag <?PHP ?>.

Reply

INCLUDE, unlike REQUIRE, will continue whether the file being included is correct or not. It will try to digest and if it encounters error, INCLUDE will keep on going to the next set of commands/lines etc.

Because of this voracious appetite of parsing, all functions and classes segregated from the main PHP files are usually named filename.inc.php.

If you want to include functions that returns some value, you should have the including file as filename.inc.php.

Reply

Another couple of thing about "includes" which should be considered:

By using a PHP file extension, in the odd chance that someone tries to "view" the file on your account, if the filename ends in ".php" (or another file extension which has been determined to be parsed as php according to the rules in your .htaccess file), the script contents will not be viewable in their Browser, only the HTML output would be shown to them, whereas a file ending in "inc" is merely a text file which can be viewed. This is particularly important for information which should be "secured", like your Database Configuration information with database names and passwords.

Another thing, use the "include_once()" and "require_once()" if the contents of the include contains information which could affect the value of your variables. An example, again would be the config.inc. In a situation where you might be adding a variety of includes, each of which might call other includes, etcetera, and some of the includes may have been already opened, ie: a database config file, or a functions.inc which has a series of define statements, the "*_once()" will only allow that file to be called the first time so that any values do not get reset.

And the difference between an "include()" and "require()" is the script will terminate on an error if the require() is used. A situation where you might consider using the require() is for opening sensitive files and don't wish the client to view the data contain in the error, for example, the database connection information, or the locations of the included files.

While I am spouting here, additional security can be achieved by locating the included files "above" your public_html folder, in the account root folder. On the Apache servers like what the Trap uses, if the file is in the public_html folder, it can potentially be accessed from the Web directly by URL. When it is located "upstream" of the public_html folder, it would be doubly secure with a php file extension.

All of these methods enhance the security of your data and files, and these security measures can all be in effect, yet your site remains at risk. Files and accounts and servers are never completely secure against attacks. Security is not "on" or "off". Security is a continuum. There is "more security" and "less security". Complete security is a situation where the files are on a CD or DVD in a desk drawer, but then they are not web-accessible. So, it is important to know and implement the security measures you can feel comfortable with while remembering that more security means potentially less access. That is the trade-off you must measure.

 

 

 

Reply

a short answer on your question: if the file is on another server, you will get the output of the script, not the real contents.

Reply