I have the folowing issue: I got a PHP file (standards.php) with statements like these:
define('CONSTVAR', '/path/');
Now, I have another file called untitled.php, containing this:
include ('standards.php');
echo CONSTVAR;
This will result in a page saying /path/, the value of the constant.
It’s good so far.
But when I put the standards.php on another one of my websites and try to include it from there (using the include('http://mysite.eu/core/standards.php'); command), it doesn’t work. The constant remain empty, and I also get the following error
Warning: main(http://mysite.eu/core/standards.php) [function.main]: failed to open stream: Permission denied in /home/www/this.nl/core/untitled.php on line 28
Warning: main() [function.include]: Failed opening ‘http://mysite.eu/core/standards.php’ for inclusion (include_path=’.:/usr/local/php4/lib/php’) in /home/www/this.nl/core/untitled.php on line 28
allow_url_include is enabled and allow_url_fopen too. When I type the full URL of the standards.php into my browser, I get a page result, so it’s not an issue of not having access rights, right?
What could be the issue here? Why is the constant, which is supposed to be global, not “inherited” when including from a remote server?
allow_url_fopenandallow_url_includecan only be set in php.ini or httpd.conf. It is the local server that is preventing the file from being included, which is different to typing the URL into the browser.Even if the external include worked, it won’t work as expected. Includes over HTTP are different to standard includes.
You are including the output of the included file. The External PHP file is processed at the external server before being included.
It would certainly be a security vulnerability if external PHP files could be read verbatim in this way.