Build Your Own DatabaseDriven Website Using PHP amp;amp; MySQL [Electronic resources]

Kevin Yank

نسخه متنی -صفحه : 190/ 82
نمايش فراداده

Server-Side Includes with PHP

If you've been working on the Internet for a while, you've probably come across the term Server-Side Includes (SSIs); if not, you can read Matt Mickiewicz's mini-tutorial on the subject.

In essence, SSIs allow you to insert the content of one file stored on your Web server into the middle of another. The most common use for this technology is to encapsulate common design elements of a Website in small HTML files that can then be incorporated into Web pages on the fly. Any changes to these small files immediately affect all files that include them. And, just like a PHP script, the Web browser doesn't need to know about any of it, since the Web server does all the work before it sends the requested page to the browser.

PHP has a function that provides similar capabilities. But in addition to being able to incorporate regular HTML and other static elements into your included files, you can also include common script elements. Let's look at an example:

<!-- include-me.php -->
<?php
echo( '<p>"Make me one with everything!"</p>\n' );
?>

The above file, include-me.php, contains some simple PHP code. You'll also need the following file:

<!-- testinclude.php -->
<l>
<head>
<title> Test of PHP Includes </title>
</head>
<body>
<p>What did the Buddhist monk say to the hot dog vendor?</p>
<?php
include('include-me.php');
?>
</body>
<l>

Notice the call to the include function. We specify the name of the file we want to include (include-me.php), and PHP will attempt to grab the named file and stick it into the file to replace the call to include. Upload both of the above files to your Web server (or copy them to your Web server's document folder if you're running the server on your computer) and load testinclude.php in your browser. You'll see a Web page that contains the message from our include file, as expected.

If this example doesn't work, you may need to configure the include_path option in your php.ini file. Open the file in your favourite text editor and look for a line that begins with include_path, about halfway through the file. This setting works in the same way as the system PATH environment variable with which you may be familiar. It contains a list of directories where PHP should look for files that you ask it to include. Set it so it contains "." (the current directory).

Depending on whether your server is running under Windows or Linux, you may need to surround your setting with quotes:

Under Linux (or other UNIX-based operating systems):

include_path=.:/another/directory

Under Windows:

include_path=".;c:\another\directory"

Increasing Security with Includes

PHP scripts will sometimes contain sensitive information like user names, passwords, and other things you don't want the world to be able to access. By now, you're probably used to the mysql_connect function, which requires you to put your MySQL user name and password in a PHP script that needs access to a database. While you can simply set up MySQL so that the user name and password used by PHP cannot be used by potential hackers (by setting the Host field in the user table as described in "MySQL Administration"), you would probably still rest easier knowing that your user name and password are protected by an extra level of security.

"But wait a minute," you might say. "Since the PHP is processed by the server, nobody can see my password anyway, right?" Right, but consider what would happen if PHP stopped working on your server. If, because of an accidental software misconfiguration made by a well-meaning associate, or some other factor, PHP stopped working on your server, the PHP pages would be served up as plain text files, with all your PHP code (including your password) there for the world to see!

To guard against this kind of security breach, you should put any security-sensitive code into an include file, and place that file into a directory that's not part of your Web server's directory structure. If you add that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked away safely somewhere where your Web server can't display them as Web pages.

For example, if your Web server expects all Web pages to exist in /home/httpd/ and its sub-directories, you could create a directory called /home/phpinc/ to house all of your include files. Add that directory to your include_path, and you're done! The next example shows how you can put your database connection code into an include file:

<!-- dbConnect.inc (in /home/phpinc/) -->
<?php
$dbcnx = mysql_connect('localhost', 'root', 'rootpassword');
?>

And a file that uses this include:

<!-- dbSample.php (in /home/httpd/) -->
<?php
// Connect to MySQL
include('dbConnect.inc');
mysql_select_db('myDatabase',$dbcnx);
...

As you can see, if PHP stops working on your server, all that will be exposed is a call to the include function. The user name and password are safely stored in dbConnect.inc, which cannot be accessed directly from the Web.

As usual, it's still important to consider other means that may be available to access those files. For example, if you share your Web server with other people/companies, be certain that the files are not accessible to those other users!