Build Your Own DatabaseDriven Website Using PHP amp;amp; MySQL [Electronic resources] نسخه متنی

Server-Side Includes with PHP

If you've
been working on the Internet for a while, you've probably come across the
term Server-Side Includes (SSIs); if not, you can read Matt
Mickiewicz's mini-tutorial on the subject.

In essence, SSIs allow you to insert the content of one file stored
on your Web server into the middle of another. The most common use for this
technology is to encapsulate common design elements of a Website in small
HTML files that can then be incorporated into Web pages on the fly. Any changes
to these small files immediately affect all files that include them. And,
just like a PHP script, the Web browser doesn't need to know about any of
it, since the Web server does all the work before it sends the requested page
to the browser.

PHP has a function that provides similar capabilities. But in addition
to being able to incorporate regular HTML and other static elements into your
included files, you can also include common script elements. Let's look at
an example:

<!-- include-me.php -->
<?php
echo( '<p>"Make me one with everything!"</p>\n' );
?>

The above file, include-me.php, contains some simple
PHP code. You'll also need the following file:

<!-- testinclude.php -->
<html>
<head>
<title> Test of PHP Includes </title>
</head>
<body>
<p>What did the Buddhist monk say to the hot dog vendor?</p>
<?php
include('include-me.php');
?>
</body>
</html>

Notice the call to the include function. We specify the name of the file we want to include
(include-me.php), and PHP will attempt to grab the named
file and stick it into the file to replace the call to include.
Upload both of the above files to your Web server (or copy them to your Web
server's document folder if you're running the server on your computer) and
load testinclude.php in your browser. You'll see a Web
page that contains the message from our include file, as expected.

If this example doesn't work, you may need to configure the include_path option
in your php.ini file. Open the file in your favourite
text editor and look for a line that begins with include_path,
about halfway through the file. This setting works in the same way as the
system PATH environment variable with which you may be
familiar. It contains a list of directories where PHP should look for files
that you ask it to include. Set it so it contains "."
(the current directory).

Depending on whether your server is running under Windows or Linux,
you may need to surround your setting with quotes:

Under Linux (or other UNIX-based operating systems):

include_path=.:/another/directory

Under Windows:

include_path=".;c:\another\directory"

Increasing Security with Includes

PHP scripts will sometimes contain sensitive
information like user names, passwords, and other things you don't want the
world to be able to access. By now, you're probably used to the mysql_connect function,
which requires you to put your MySQL user name and password in a PHP script
that needs access to a database. While you can simply set up MySQL so that
the user name and password used by PHP cannot be used by potential hackers
(by setting the Host field in the user table as described in "MySQL Administration"), you would probably still rest easier knowing that your
user name and password are protected by an extra level of security.

"But wait a minute," you might say. "Since the PHP is processed by the
server, nobody can see my password anyway, right?" Right, but consider what
would happen if PHP stopped working on your server. If, because of an accidental
software misconfiguration made by a well-meaning associate, or some other
factor, PHP stopped working on your server, the PHP pages would be served
up as plain text files, with all your PHP code (including your password) there
for the world to see!

To guard against this kind of security breach, you should put any security-sensitive
code into an include file, and place that file into a directory that's not
part of your Web server's directory structure. If you add that directory to
your PHP include_path setting
(in php.ini), you can refer to the files directly with
the PHP include function, but have them tucked away safely somewhere where your
Web server can't display them as Web pages.

For example, if your Web server expects all Web pages to exist in /home/httpd/ and
its sub-directories, you could create a directory called /home/phpinc/ to
house all of your include files. Add that directory to your include_path,
and you're done! The next example shows how you can put your database connection
code into an include file:

<!-- dbConnect.inc (in /home/phpinc/) -->
<?php
$dbcnx = mysql_connect('localhost', 'root', 'rootpassword');
?>

And a file that uses this include:

<!-- dbSample.php (in /home/httpd/) -->
<?php
// Connect to MySQL
include('dbConnect.inc');
mysql_select_db('myDatabase',$dbcnx);
...

As you can see, if PHP stops working on your server, all that will be
exposed is a call to the include function. The user name
and password are safely stored in dbConnect.inc, which
cannot be accessed directly from the Web.

As usual, it's still important to consider other means that may be available
to access those files. For example, if you share your Web server with other
people/companies, be certain that the files are not accessible to those other
users!