Posted by dorayme on 06/17/07 22:39

In article <Xns99525C554B928arbpenyahoocom@69.28.186.121>,
Adrienne Boswell <arbpen@yahoo.com> wrote:

> Gazing into my crystal ball I observed dorayme
> <doraymeRidThis@optusnet.com.au> writing in news:doraymeRidThis-
> 33C704.19215517062007@news-vip.optusnet.com.au:
>
> > For many web sites hosted on Unix servers I use (happily) a
> > construction like this for includes:
> >
> ><?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
> > ?>
> >
> > But this does not work on Windows servers. Does anyone know a
> > likely other candidate expression that will tell the server to go
> > to the level at which I have the site index file and look inside
> > a folder called 'includes'? No matter where it appears deep
> > inside the website directories?
> >
> > It sort of spoils the point to be tailoring each path to where
> > the html file happens to be with "../"s (which, of course,
> > "works").
> >
> > I know, I have wondered about this before and never really got
> > anywhere. Seem unable to have used any previous remarks to
> > advantage or have now forgotten them.
> >
>
> It's a security issue, designed to keep attackers from getting to
> sensitive files on the file system. In IIS6, parent paths are disabled by
> default. The only way to get past it is to get the server admin to
> change it.

In fact, although it is a bit of a bore, I have started putting
in the actual paths to the includes into each file on sites I
have on Windows Servers, it is still worth it. At least then, if
I change the includes file, it all happens.

But I am curious. Is there a worrying security issue with the
"global" method of doing what I do on Unix servers? i.e.:

<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.inc');
?>

?

The includes folder is just at the level of the main home page
file (index.html ... this is usually the public_html level,
yes?), no higher or more unreachable.

And supposing I did ask the Windows server people to enable me to
globally specify a folder at the public_html level, I am curious:
what expression would I then use to specify the path, the same as
with the Unix server expression above or something rather
different?

--
dorayme

[Back to original message]