Posted by Andy Dingley on 12/05/06 16:42

Toby Inkster wrote:

> Andy Dingley wrote:
>
> > Can't use server-side stuff or SSI if it's on a different server.
>
> Can!
>
> include("http://www.google.com/");

> works nicely in PHP.

For unusably small values of "nicely".

This technique is crap, don't ever use it on a live site. It's
symptomatic of PHP's worst feature, the attitude that if it can be
bodged on, it ought to be. Then the horde of clueless script kiddies
that represent the majority of PHP developers see the feature and use
it blindly.

Firstly, there's the rights issue (big deal).

Secondly, most of the things served by HTTP URLs are HTML pages -- i.e.
Whole pages, with <head> etc, not just the small fragment you want to
embed.

Thirdly it's unreliable. What happens if the source server for this
include is down (or just slow)? The whole page dies, because there's no
caching mechanism.

Fouthly it's as slow as a dog because it involves extra round tripping
between servers.

Most importantly though, it's as unsafe and insecure as a Macclesfield
knocking shop with a MySpace website. PHP doesn't include HTML by this
route, it includes _PHP_scripts_. That's right - slurp up a random
fragment of PHP from feck knows where, then go and execute the damned
thing! Maybe you expect to just be pulling in some plain old HTML by
this route, but if someone sticks nasty-intentioned PHP into there,
you're already bending right over, lubed and ready.

_REALLY_ don't ever even think about using this total abomination. It's
crap like this that is the reason I won't give PHP house room.

[Back to original message]