Jump to content

PHP Include?


Guest ace5p1d0r

Recommended Posts

Guest efolia

Here's how to go around some of the "file inclusion" limitations of CubeCart.

But first ... a little background on this subject. As you already know, you cannot use an SSI "include" in CubeCart because of the security limitations of Apache and other servers: you'd have to call the SSI from within a secure .SHTM file, which is not how CubeCart works.

Furthermore, you cannot embed the php "file include" command, or any other php code for that matter, in a template (.tpl) file either: that again is due to a security problem. All the PHP code is virtually stripped out of your template files. However, you can make calls to included PHP modules and pass it a filename as a variable: indeed, this is what the CubeCart code does every time it calls index.php?act=(some_function)&(some_variable).

Here's how you proceed to include an external .txt file in a document. Note that this is a simplified (working) version of the code, since it assumes that all you need to fetch is the file content itself, and that everything else in your box will be hardcoded in the template (.tpl) file. But if you really need the code to fetch a more complex datatype, I leave it to you to figure it out, since all you need to understand IS how the parsing function works.

First you need to modify index.php and add a new handler. This is done by adding a new "case" in the "switch" that interprets the calls. I named mine viewAnyDoc. The added code is within the bounds of the commented out BEGIN/END statements, everything else stays the same.

	// START  MAIN CONTENT

	if(isset($_GET['act'])){

	

		switch (treatGet($_GET['act'])) {



/* BEGIN MOD inserts a file  viewAnyDoc */			

			case "viewAnyDoc":

				include("includes/content/viewAnyDoc.inc.php");

				$body->assign("PAGE_CONTENT",$page_content);

			break; 

/* END MOD viewAnyDoc*/




Now that allows your page to call viewAnyDoc from anywhere. Obviously, it needs to be associated with an included PHP function, which resides in the \includes folder. So you just create a new php include file named (in this example) viewAnyDoc.inc.php. Here's the code for it: 




<?php

if (ereg(".inc.php",$HTTP_SERVER_VARS['PHP_SELF'])) {

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>";

	exit;

}



$_GET['filename'] = treatGet($_GET['filename']);

/* opens the file (filename, as passed by the parameter) and reads the content into $filecontent; replace with the following commented out line to handle a fixed file name. */

/* $filename = "myfile.txt"; */

/* this circumvents the treatGet function but could open a door for an XSS attack */

 $filename=str_replace("\\\\","\\",$filename);

 $fp=fopen($filename, "r");

 $filecontent = fread($fp, filesize($filename)); 

 $doc_content = $filecontent;



if(!isset($doc_content) || $doc_content==FALSE) {$doc_content="no content";};

  $view_doc=new XTemplate ("skins/".$config['skinDir']."/styleTemplates/content/viewAnyDoc.tpl");

if(isset($doc_content) && $doc_content == TRUE){

	$view_doc->assign("DOC_CONTENT",$doc_content);} 

else {

  $view_doc->assign("DOC_CONTENT",$lang['front']['viewAnyDoc']['does_not_exist']);}



$view_doc->parse("view_doc");

$page_content = $view_doc->text("view_doc");

?>




What this code does is fetch the file you want, loads it in a template and returns the bloc of html that is  needed as {DOC_CONTENT}. I left the option opened for hardcoding the filename... more on this later. Of course, you will need a template to tell CubeCart how to display that bloc inside the page. The new template will reside in your skin's StyleTemplates folder and will be named, in this case, viewAnyDoc.tpl. The simplest of such templates looks something like this:




<!-- BEGIN: view_doc -->

<div class="boxContent">

<span class="txtContentTitle">Hello World! This is my included file.</span>

<br />

{DOC_CONTENT}

</div>

<!-- END: view_doc -->




Now you can include a file from anywhere by making  the following call: 


index.php?act=viewAnyDoc&filename=myfile.txt

usually from inside an href anchor.

Finally, one little note about the inc.php code: if you are not hardcoding the file name into the inc.php code, you'll have to go around the treatGet() function which double's up the backslashes when it initially grabs the filename.Since you're likely to keep that fetched file inside a path, you need to turn those double \ into singles. That's what the code example here does, leaving the hardcoded file name as a commented out option. Be careful, as this could possibly open up a security hole in your cart (though in this limited-scope implementation, I don't think it would :w00t: ... it would have to be verified).

So there you go. It's really a small and unintrusive MOD that changes little to the original code, but it can go a long way into making your cart more flexible indeed. No need for extensive PHP hacks or Javascript. Have fun.

Link to comment
Share on other sites

Guest ace5p1d0r

Thanks efoila.

Right. This is what I have got. In index.php i the root directory I have placed:

/* BEGIN MOD inserts a file  viewAnyDoc */			

			case "viewAnyDoc":

				include("includes/content/viewAnyDoc.inc.php");

				$body->assign("PAGE_CONTENT",$page_content);

			break;

/* END MOD viewAnyDoc*/


under the start of the main content. Thats fine.



I also now have in 'includes/content/viewAnyDo.inc.php' this:


<?php

if (ereg(".inc.php",$HTTP_SERVER_VARS['PHP_SELF'])) {

	echo "<html>\r\n<head>\r\n<title>Forbidden 403</title>\r\n</head>\r\n<body><h3>Forbidden 403</h3>\r\nThe document you are requesting is forbidden.\r\n</body>\r\n</html>";

	exit;

}



$_GET['filename'] = treatGet($_GET['filename']);

/* opens the file (filename, as passed by the parameter) and reads the content into $filecontent; replace with the following commented out line to handle a fixed file name. */

/* $filename = "myfile.txt"; */

/* this circumvents the treatGet function but could open a door for an XSS attack */

$filename=str_replace("\\\\","\\",$filename);

$fp=fopen($filename, "r");

$filecontent = fread($fp, filesize($filename));

$doc_content = $filecontent;



if(!isset($doc_content) || $doc_content==FALSE) {$doc_content="no content";};

  $view_doc=new XTemplate ("skins/".$config['skinDir']."/styleTemplates/content/viewAnyDoc.tpl");

if(isset($doc_content) && $doc_content == TRUE){

	$view_doc->assign("DOC_CONTENT",$doc_content);}

else {

  $view_doc->assign("DOC_CONTENT",$lang['front']['viewAnyDoc']['does_not_exist']);}



$view_doc->parse("view_doc");

$page_content = $view_doc->text("view_doc");

?>




Now in skins/Lengend/styleTemplates/content/viewAnyDoc.tpl I have:


<!-- BEGIN: view_doc -->

<div class="boxContent">

<span class="txtContentTitle">This is a test...</span>

<br />

{DOC_CONTENT}

</div>

<!-- END: view_doc -->

Right thats great.

But, my questions:

- Where do I say where my .txt file is?

- How can I tell it to place it in .tpl?

- How can i do multiple .txt files?

Thanks again.

Link to comment
Share on other sites

Guest EverythingWeb

shandaman: You have been warned privately before about self-promoting and advertising. This is a public warning and I hope you understand what you are being told.

Your Warn Level has been increased & I do NOT expect to see you breaking the Forum Rules again. Period.

ANY form of advertising is to be done OUT of the Public Arena, or at CubeCart.org. I do not think the rules can be any clearer.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
Guest efolia

But, my questions:

- Where do I say where my .txt file is?

The name of your txt file (or html, or any other kind of file for that matter) is either hardcoded

$filename = "myfile.txt";

or passed as a parameter. $filename will be global once set (you can use any variable name you want, as long as it does not collide with cubecart's variables), so you can set it wherever you want in your code. You can also pass it as a parameter, as explained.

- How can I tell it to place it in .tpl?

The .tpl is ViewAnyDoc. The text you want to include is in $doc_content. The variable used in the template is {DOC_CONTENT}.

- How can i do multiple .txt files?

Repeat the code in the inc.php file to handle multiple such inclusiions. However, you should know beforehand how many files you want to include because templates are not dynamic by themselves. If you don't know how many files you want to include, then merge them before including them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...