FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » php includes and ajax
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: php includes and ajax [message #173091 is a reply to message #173087] Sun, 20 March 2011 23:54 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 3/20/2011 6:16 PM, John D'Orazio wrote:
> I've been experimenting with ajax functionality in the past few months, but I'm having different results on different web hosts...
>
> My biggest difficulty has to do with the path for php file includes. Here's my situation:
>
> My CMS defines some functions for checking user permissions in a file called "functions.php" in this path: "/include".
>
> Before enabling certain functionalities on the javascript side (such as administrative buttons in a jquery-ui dialog) I want to check if the user has administrative privileges. So I create a php file for this check, for example I want to check if the user is a news administrator so I name the file "newsadmin.php" and put it in the "/themes/glorioso/ajax" folder.
> "/themes/glorioso/ajax/newsadmin.php" does an include of "/include/functions.php", then calls the function that checks whether the current user has news administration privileges; if this returns true I echo out "isnewsadmin", otherwise "isnotnewsadmin".
>
> From my javascript I make an ajax call to "newsadmin.php", if the returned value is "isnewsadmin" I add administrative buttons, otherwise I don't.
>
> My javascript file is in "/themes/glorioso/javascripts/glorioso.js".
> When I'm working on a website on the aruba shared hosting (http://www.aruba.it/) I can only get my include to work like this:
> <?php
> require_once($_SERVER["DOCUMENT_ROOT"]."/include/functions.php");
> if (is_news_admin()) { echo "isnewsadmin"; }
> else { echo "isnotnewsadmin"; }
> ?>
>
> This doesn't work on an altervista shared hosting (http://it.altervista.org/). The only way I can get it to work an altervista shared hosting is by changing directories:
>
> <?php
> chdir("..");
> chdir("..");
> chdir("..");
> require_once("include/flatnux.php");
> if (is_news_admin()) { echo "isnewsadmin"; }
> else { echo "isnotnewsadmin"; }
> ?>
>
> Since I'm trying to write a theme for the Flatnux CMS that anyone else can use, I'd like a "universal solution" that can work for anyone on any webserver.
> I suppose I could do a check for file existence before the include:
> <?php
> if(file_exists($_SERVER["DOCUMENT_ROOT"]."/include/functions.php")){
> require_once($_SERVER["DOCUMENT_ROOT"]."/include/flatnux.php");
> }
> else {
> chdir("..");
> chdir("..");
> chdir("..");
> require_once("include/functions.php");
> }
> if(is_news_admin()){
> echo "isnewsadmin";
> }
> else{
> echo "isnotnewsadmin";
> }
> ?>
>
> I'd like to understand better the principles behind this stuff though, if there is a standard way of doing the file includes that'll work on every server in ajax calls...

First of all, NEVER trust something client side. It would be very easy,
for me to change your code to always believe the user is an administrator.

Next, javascript is client-side. PHP is server-side (almost always,
anyway). But javascript on the client cannot include the source code of
a PHP file on the server side. All it can do is get the output of the
PHP script.

The way to do it is to always do any security checks (and input
validation) on the server. Client-side (javascript) can perform some
checks, but they must ALWAYS be backed up by server-side
verification/validation.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: PHP Developers needed
Next Topic: Cannot send emails
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 04:44:11 GMT 2024

Total time taken to generate the page: 0.03902 seconds