PHP 4 is now becoming less used across the Internet, and instead being switched out with newer versions such as PHP 5. There have been many modifications that have been done under the hood, so to speak, and specifically webmasters will notice that they will have to find a new syntax in order to include remote files into a webpage.

Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.

An XSS attack will seek to inject code into a webmaster’s website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become “zombies” that could spam or attack other websites and users at will, all without the webmaster knowing.

XSS attacks function mostly because “allow_url_fopen” is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.

Another method of using the include function in PHP 5 is to simply call the server’s own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, “$_Server['document_root'],” takes the place of the webmaster’s domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.

For webmasters who don’t like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal.

Closing Comments

PHP 5 has brought us many new security features, and the default setting of disallowing absolute paths in include functions is an example of where the industry is going. For more information on the syntax, how to use it, and more words on web development, readers should consult the PHP manual or obtain a PHP 5 book from a local bookstore for more information.

Learn more about php include help and allow url fopen.