Results 1 to 26 of 26
  1. #1
    Join Date
    Dec 2003
    Posts
    84

    php beginner question. @include same as include function ?

    I see some codes , adding @ in front of include

    what is @include ? I search php document, couldn't find it. I remember I see it somewhere, but didnt bookmark it.

    please help me out, if you know how to use @include.

  2. #2
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    3,059
    in PHP putting "@" before something stops any errors being outputted, so i presume they would do that so if the include file wasnt there no errors would show up
    cPanel, CloudLinux, Softaculous ℵ Off Site Backups, Redundant DNS

  3. #3
    Join Date
    May 2005
    Location
    Planet Earth
    Posts
    813
    Quote Originally Posted by ethix
    in PHP putting "@" before something stops any errors being outputted, so i presume they would do that so if the include file wasnt there no errors would show up
    Right.

    However I'd say the 'include()' statement without the '@' would be faster because php doesn't need to check if the file exists (my opinion, nothing have been tested here).

    I wouldn't recommend using '@' in any case, you could end up looking for this kind of bugs for ages.

    In some case, however, like @mysql_query() or other command working with a third-party application, may be a good thing if you don't want errors to be displayed to users (too much information is usually shown). But I may be a bit freaky regarding security..

    Regards,

    G
    PutFile.io Disrupting traditional file hosting.
    █ Signup Early and enjoy Unlimited space/bandwidth for your files hosting, Forever!
    █ No Ads.
    █ No Countdowns.

  4. #4
    Googled... you're always freaked by the security

  5. #5
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    if you don't want errors to be displayed to users (too much information is usually shown). But I may be a bit freaky regarding security..
    If you don't want errors to be displayed, don't display them, but log them using
    set_error_handler. This will stop almost any error from coming across if you use that with error_reporting which will allow you to customize what errors are shown and what are not.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  6. #6
    error_reporting('E_STRICT');
    ini_set("display_errors", 0);
    ini_set("log_errors", 1);


    Is the best mix in my opinion. Errors are not shown BUT they are logged so you can know what they are.

  7. #7
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    Doesn't matter if you place @ before an include or not.

    PHP still checks if the file is there and still checks the logicality of that file.

    The only difference @ makes is it displays the error instead of trashing it to < /null

    Security wise, it doesn't mean anything, it is actually better to display those errors to users so they know there is something wrong (chances they will contact you and/or come back later), unless of course you have a debug notification system online.

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  8. #8
    Join Date
    Nov 2003
    Posts
    682
    Displaying errors from include() can lead to full path disclosure vulnerabilities, it's better to trap the error and display your own to the user.

  9. #9
    Join Date
    Nov 2005
    Location
    USA
    Posts
    874
    correct. Very critical point. @ should be used with includes, especially if you are including sensitve files.
    GS RichCopy 360 Enterprise - Voted #1 for data migration and replication in terms of performance and features. Replicate data across between servers in the same network, WAS, or even across the internet

  10. #10
    In my opinion the bottom line is that your should absolutely not set display_error to 1 when you are using your script on a production server!

    after you shouldnt care about the @ signs

  11. #11
    Join Date
    Nov 2003
    Posts
    682
    I agree, I would just use error_reporting() at the top of my script.

  12. #12
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    Why not just use Require(/directory/filenamehere/');

    To mu understanding as a entry level self-taught php programmer, isn't this more secure then using include() ?

  13. #13
    Join Date
    Nov 2003
    Posts
    682
    The only difference is that include() produces a warning and require() produces a fatal error. Either one can cause a full path disclosure weakness (depending on what error reporting is set to.)

  14. #14
    Join Date
    Mar 2006
    Posts
    965
    Why not just use Require(No apos ?/directory/filenamehere/');
    This line will obviously create an error message. I believe, what you meant to point out, is this line:

    PHP Code:
    define('ROOT_PATH''.');
    require(
    'ROOT_PATH.'/directory/filenamehere.ext'); 

  15. #15
    Horizon, for the thousandth time - you're correcting someones' syntax error and you do a few of your own. I congratulate you on constantly shooting your own leg.
    Like Borat says - "I Like!".

  16. #16
    Join Date
    Mar 2006
    Posts
    965
    and you do a few of your own
    Perhaps you could point out the error I made above ? I do not see any.

    Althought - I did modified the post above before you posted out this useless comment. Perhaps waiting a little while longer, before posting your opinion, would be a great idea since it's possible you intentionally arrived on the precise second right before I intended to modify the code I posted above.

  17. #17
    Join Date
    Nov 2003
    Posts
    682
    Like try out your code and see that it doesn't work...constants don't go inside strings like that.

  18. #18
    Horizon:

    PHP Code:
    define('ROOT_PATH''.');
    require(
    'ROOT_PATH.'/directory/filenamehere.ext'); 
    should instead be:

    PHP Code:
    define('ROOT_PATH''.');
    require(
    ROOT_PATH.'/directory/filenamehere.ext'); 
    (no ' before ROOT_PATH or it will create parse error )

  19. #19
    Join Date
    Mar 2006
    Posts
    965
    My point was to correct a typo for the ' and I created a new one. Very good - thanks for pointing this out.

  20. #20
    Join Date
    Nov 2003
    Posts
    682
    I'm not sure why you'd define a constant like that since it doesn't really do anything in the script. If it's supposed to stop inclusion of files outside the current directory, you should be looking at open_basedir instead.

  21. #21
    Join Date
    Mar 2006
    Posts
    965
    The reason why I added a constant name, is because it's a more opened solution for file protection loadings, from URL, when someone tries to access a specific file directly.

    This way, you can always specify a command like this:

    PHP Code:
    if (!defined('ROOT_PATH')) {
    die (
    'Security violation.');

    Anyway, this is not really the point of this topic but both solutions works great.

  22. #22
    Join Date
    Feb 2003
    Location
    L.A. C.A.
    Posts
    335
    In summary to everyone elses post:
    An @/At in front of a function basically suppress's the errors that PHP may output.

    As mentioned, it would be alot easier to use set_error_handler and log the error instead of displaying it than putting @'s around all your functions as it often causes syntax errors in itself.

    horizon, you are coming off-topic and your last post makes no sense security wise.

    JVS_Hosting, you are correct, require is alot more security wise than include is.

  23. #23
    Join Date
    Mar 2006
    Posts
    965
    and your last post makes no sense security wise.
    And beg to differ - this is being used on several hundreds of PHP scripts on the net.

  24. #24
    Join Date
    Feb 2003
    Location
    L.A. C.A.
    Posts
    335
    if (!defined('ROOT_PATH')) {
    die ('Security violation.');
    }

    Is being used on several hundred sites?
    What exactly does it do apart from die if ROOT_PATH is not defined?

  25. #25
    Quote Originally Posted by horizon
    My point was to correct a typo for the ' and I created a new one. Very good - thanks for pointing this out.
    Which was exactly what I pointed out, please read before you make comments that only make you look silly for not understanding what's beeing said.

    PHP Code:
    if (!defined('ROOT_PATH')) {
    die (
    'Security violation.');

    I've seen this method at phpBBs' code (note: word is method or technique, not command as we're not in a terminal window, this is about programming practice).

    Security-wise it has no impact. I don't see how you can make your site vunerable if someone directly accesses a script, unless you didn't design the script that way (for what you should be awarded with Darwins' award).

    And if hundreds of scripts are using that, it still doesn't mean that it's something so good that everyone should start using it.

    arkin summarized everything so no point to continue this thread, unless horizon comes up with fixing someones' syntax errors.

  26. #26
    Join Date
    Nov 2003
    Posts
    682
    Quote Originally Posted by horizon
    The reason why I added a constant name, is because it's a more opened solution for file protection loadings, from URL, when someone tries to access a specific file directly.
    It won't stop them from accessing any file, they can just use relative paths to get to /etc/passwd or whatever it is that they're trying to open. open_basedir directive is a better solution for this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •