PHP include call used to work, doesn't now, and my ISP blames me...help?

Report · Feb 27, 2010

Hello all,

Here's the deal: I have a website, www.website.com which has a sub-domain, subdomain.website.com. I use one CSS file for both sites, the subdomain calls to the main website. Likewise, I pull graphics from the main site that appear on the subdomain. Everything works swimmingly.

I also have a navbar that is common to both sites. For simplicity, the navbar is in an includes folder in the main site's root directory. I do this so that changes made to the navbar can be instantaneous across both sites. I avoid having to upload includes files to BOTH sites every time I change one of them. Here's how I call it in the code:

<?php include('http://www.website.com/includes/navbar2.php'); ?>

This USED TO WORK JUST FINE. Not long ago, pages in the subdomain are no longer able to call the navbar from the includes folder on the main site. I get three <function include> errors where there ought to be the navbar. I contacted my ISP (Network Solutions) and they blame it on 'custom coding' which is absurd as I haven't altered the code on these pages in months...far before the problem occurred.

Here is the html for the three <function include> errors:

<b>Warning</b>:  include() [<a href='function.include'>function.include</a>]: URL file-access is disabled in the server configuration in <b>/(actual path info removed)/main.php</b> on line <b>31</b><br />

<br />
<b>Warning</b>:  include(http://www.website.com/includes/navbar2.php) [<a href='function.include'>function.include</a>]: failed to open stream: no suitable wrapper could be found in <b>/(actual path info removed)/main.php</b> on line <b>31</b><br />
<br />
<b>Warning</b>:  include() [<a href='function.include'>function.include</a>]: Failed opening 'http://www.website.com/includes/navbar2.php' for inclusion (include_path='.:/usr/services/vux/lib/php') in <b>/(actual path info removed)/htdocs/subdomain_folder/main.php</b> on line <b>31</b><br />

I think it's a server-side change. Has to be as I have not altered the code at all in ages. Any thoughts, suggestions or help would be very much appreciated.

Sincerely,

wordman

Report · Mar 01, 2010

I agree with you, there has been a tightening of security on the server.

Assuming that your sub-domain is in the same directory structure as your main domain name as in maindomain/program_files and maindomain/subdomain/program_files, then why don't you grab your menu for your subdomain as in <?php include('../includes/menu.php'); ?>

This way you are not calling a domain name which the server is blocking.

I hope this helps.

Ben

Wappler, the only real Dreamweaver alternative.

Report · Mar 01, 2010

Ben,

Thank you, an excellent suggestion! However, my subdomain lies in its own folder on the server. I am happy to know that you agree this is some sort of security tightening. It's weird, because I can pull pics, graphics and other material from the main site with no hitch. Go figure.

Many thanks for the message!

Cheers,

wordman

Report · Mar 01, 2010

If you cannot access the files outside of your sub domain (on your main domain), than I would use the following method.

If your nav bar is displaying or returning html, than I would just grab the contents of the file you want to use on your other domain using the php function file_get_contents(). You could also use curl, but that is probably overkill for this.

I hope you find this useful.

Chris Roane - My Lifestyle and PHP Blog

Report · Mar 01, 2010

Chris,

As a relative newcomer to PHP, I have to say, I'm not familiar with these functions but I will absolutely look them up to see if this cures my problem.

You guys are awesome. I will report back on the results soon!

Most cheers,

wordman

Report · Mar 01, 2010

Chris,

Well, the file_get_contents( ) function is being thwarted in the same manner as my include function. I'm going to try curl next...

Thanks!

Cheers,

wordman

Report · Mar 01, 2010

When you load the url directly (the url you are putting into the php function), do you get the html?

If you are not getting the html when you load that url directly in your browser, than there is something wrong with that specific file. If you can give me the url, I can do some minor testing on my server and give you code that I get working on my end.

Report · Mar 01, 2010

Chris,

The url points to an includes folder which is accessing a navbar include file which is PHP. That, I believe is the problem, BECAUSE all of this worked last year. Everything was fine. This was perfectly functional and I have not changed the code for 4 months.

Therefore, I must conclude it was a server change that NetSol made. Again, it worked originally and now does not and I have not altered the code.

At any rate, I just placed the navbar include file in the site root for the subdomain and all is working fine now.

Thanks all for your help!

Cheers,

wordman

Report · Mar 01, 2010

Chris,

...aaaaaand, the server is blocking curl as well. Makes me wish I had placed the subdomain folder inside the main site folder instead of keeping them separate. I'd do it now, but I have a huge forum and a blog and the thought of moving all that makes me woozy.

You guys are awesome. Thanks for the suggestions!

Cheers,

wordman

Report · Mar 02, 2010

Wordman-GL wrote:
Here's how I call it in the code:

<?php include('http://www.website.com/includes/navbar2.php'); ?>

This USED TO WORK JUST FINE.

Your hosting company is quite correct in blaming you, although it should probably have explained why it no longer works.

Since PHP 5.2, there have been two security directives: allow_url_fopen, which is on by default, and allow_url_include, which is off by default.

Including a file directly from a URL is a major security risk, which is why allow_url_include is turned off. If you want to include content from a URL, you must retrieve it using a file function, such as file_get_contents(), and run your own security checks on it before including it in a page.

Report · Mar 02, 2010

David,

Thank you as always, for a concise answer.

I tried the file_get_contents(), but it bombed. So I figured to cut my losses and just add the includes file in my subdomain.

Let me ask you this: from my subdomain, I also call to graphics and a CSS file located on the main www page ( <img src="http;//www.website.cpm/graphics/logo.jpg" /> and <link href="http://www.website.com/css_files/file.css etc...> ). Does this also pose a security risk? Currently these work, I'm assuming because they do not involve PHP.

Your advice would be greatly appreciated!

Thanks!

Sincerely,

wordman

Report · Mar 04, 2010

As long as you know what you're including, there is no security risk. The reason allow_url_include has been turned off by default is because a lot of inexperienced people use PHP in an insecure way. That's why the directive can be turned on in a controlled environment.

Including your images from another domain is the same. If you control the domain (or subdomain), there's no problem. If you're using an image from elsewhere, there are two potential problems: the other domain might be down, or the owner of that domain removes the image.

In other words, if you know the implications of what you're doing, you can determine whether a course is safe to follow. It's when you fail to think things through that problems arise.