Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Apr 2009
    Location
    Kent, UK
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How to PHP include a variable path

    Hello,

    I am working on a site which may have multiple themes installed, when there was only one theme installed I was using the following code to call it

    <? include(themes/theme_name/index.php) ?>

    I am now changing the site to allow multiple themes and would like to know how to include a variable name i.e.

    <? include(themes/ ECHO DEFAULT THEME NAME /index.php

    I know the above code wont work, but is there any way of doing this

    Regards
    Jim

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    It'll work fine; the input for an include is a string so you can put together a string using a variable and use it in the include.

  • #3
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    As fumigator suggests using concatenates:

    PHP Code:
    $theme"themefoldername";
    include(
    'themes/'.$theme.'/index.php'); 
    You can not say you know how to do something, until you can teach it to someone else.

  • #4
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Another thing to consider when using include() opposed to require() is do you want the script to continue running if the file is missing. Probably in this case you do want to continue running in which case include is fine. But should have a backup plan if the folder/file is missing.

    PHP Code:
    $theme"themefoldername";
    //turn off warnings
    error_reporting(E_ALL & ~E_WARNING);
    if(!include(
    'themes/'.$theme.'/index.php'))
    {
      
    // file was missing so include default theme 
      
    require('themes/default_theme/index.php');
    }
    // Turn on warnings
    error_reporting(E_ALL); 
    N.B You can't use @ to turn off errors in this case because that will also turn off errors in the include file

    Although maybe this works better

    PHP Code:
    if(file_exsists('themes/'.$theme.'/index.php'))
       include(
    'themes/'.$theme.'/index.php');
    else
       require(
    'themes/default_theme/index.php'); 
    Last edited by timgolding; 04-26-2009 at 11:56 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #5
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Also another thing to consider is how are the different themes being set. If it is your user who is setting which theme to use then be very careful. For instance if they are choosing a theme from a drop down list or some other form control then you are using $_POST or $_GET data to set the theme string then make sure this is fully validated. You will need to validate that any theme folder name sent through the forms post or get is actually in the folder themes or they could inject and have your script run any index.php file on your system. For instance following on your example if you had a secure folder called admin with an index.php that gave admin access to your site. Then they could inject like so

    PHP Code:
    //form data sent :   ../admin

    $themefoldername $_POST["theme"]; // = ../admin
    require('themes/'.$themefoldername.'/index.php');

    // actual included folder will be 
    // themes/../admin/index.php
    // which is same as admin/index.php 
    You have already reduced the problem by including the /index.php as the last portion of your string and maybe you don't have any index.php files that would pose a security risk. But validation would eliminate any problems or future problems. Heres any example of simple validation

    PHP Code:
    //list of allowed themes
    $allowed=array('blue''gold''red''purple''green');
    $theme$_POST['theme'];

    if(
    in_array($theme$allowed) && file_exists('themes/'.$theme.'/index.php'))
    {
          
    //Can include file
          
    include('themes/'.$theme.'/index.php');
    }
    else
    {
        require(
    'themes/default_theme/index.php');

    If it was me I would include this validation regardless.
    Last edited by timgolding; 04-27-2009 at 12:35 AM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #6
    New to the CF scene
    Join Date
    Apr 2009
    Location
    Kent, UK
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi, I think there are some good, and valid points here.

    First of all I will say that on the front end of the site there is no theme selection (the admin selects the theme to use from a list in the admin panel, which then writes the theme name into the MySQL database, and the variable is pulled from that database),

    But on the other hand, you can never be too secure, so the validation code will go in place.

    And just to top this, the main theme file will be renamed to theme.php instead of index.php. Although there are no thretening index.php files there may well be when the script gets updated, whereas theme.php is unlikely to be used again.

    Many thanks for your support
    Jim

  • #7
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Quote Originally Posted by TheVDM View Post
    (the admin selects the theme to use from a list in the admin panel, which then writes the theme name into the MySQL database, and the variable is pulled from that database)
    A site with admin panel needs even tighter security. Never trust your user self included.
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •