Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

PHP include runs when in short tags even when short tags are turned off – Plesk

NOTE:
This question is NOT about using short tags in PHP. The issue is not the short tags themselves but the way that include functions seem to ignore the disabled status of short tags on this Plesk server.

I have a new site to take care of and fix up. The site was built by another, and was built many years ago using non-best practise. The site has recently been moved to a Plesk Server.

I am unfamiliar with Plesk and so have been learning it’s routines.

My issue is:

A core setting on the Plesk PHP setup is that short tags ( <? ... ?>) are disabled. The site I’m working on makes extensive use of short tags (as well as full <?php tags).

The issue is the code within the short tags the PHP include function still executes and loads, and its contents still outputs to the browser source HTML, but anything else in the short tags does not execute.

WHY does this happen?

  • Is this a Plesk issue?
  • Is this a bug with include?

Server Settings:

  • Plesk Onyx (I can’t find a version number)
  • PHP 5.6.31 (handler: FPM application)
  • PHP ini (loaded from the site directly): short_open_tag: Off
  • Included PHP files use both full tags and short tags with the same outcome.

The code I have:

The HTML Page (index.php, various pages):

<?
session_start();
include "inc/dbi.php";
if(isset($_REQUEST['id'])){
    $id = substr($_REQUEST['id'],0,6);
}
else{
    header("Location: index.php?msg=No image specified");
    exit;
    }
$qry        = mysqli_query($MySQlink,"...");
$row        = mysqli_fetch_array($qry);
$docwidth   = floor($row['width']*4.26);
$docwidth  /= 100;
$docheight  = floor($row['height']*04.26);
$docheight /= 100;
$descr      = nl2br($descr);
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
...
...

The inc/dbi.php page:

<?php
$user     = "some_user";
$pass     = "some_pass";
$db       = "some_db";
$MySQlink = mysqli_connect( "localhost" , $user, $pass, $db );
if ( ! $MySQlink )  {   mysqli_close($MySQlink);    }
$now      = date('Y-m-d H:i:s');    
$today    = date('Y-m-d ');

What I expect to see in source code of HTML file:

<?
session_start();
include "inc/dbi.php";
if(isset($_REQUEST['id'])){
    $id = substr($_REQUEST['id'],0,6);
}
else{
    header("Location: index.php?msg=No image specified");
    exit;
    }
$qry        = mysqli_query($MySQlink,"...");
$row        = mysqli_fetch_array($qry);
$docwidth   = floor($row['width']*4.26);
$docwidth  /= 100;
$docheight  = floor($row['height']*04.26);
$docheight /= 100;
$descr      = nl2br($descr);
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

What I actually see:

<?
session_start();
$user     = "some_user";
$pass     = "some_pass";
$db       = "some_db";
$MySQlink = mysqli_connect( "localhost" , $user, $pass, $db );
if ( ! $MySQlink )  {   mysqli_close($MySQlink);    }
$now      = date('Y-m-d H:i:s');    
$today    = date('Y-m-d '); 

if(isset($_REQUEST['id'])){
    $id = substr($_REQUEST['id'],0,6);
}
else{
    header("Location: index.php?msg=No image specified");
    exit;
    }
$qry        = mysqli_query($MySQlink,"...");
$row        = mysqli_fetch_array($qry);
$docwidth   = floor($row['width']*4.26);
$docwidth  /= 100;
$docheight  = floor($row['height']*04.26);
$docheight /= 100;
$descr      = nl2br($descr);
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

Please note:

I am well aware of the short-coming of the above code, but it’s not my work and it is my job to fix these shortcomings and make it [much] better.

But, I am confused by the behaviour of the include function, and have already read various PHP bug reports as well as reading up the manual for include and PHP.ini short tags. none of which mentions this issue.

My chief concern is that for some period of time Database connection details were output to the HTML (and have since been changed, obviously).

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Plesk help were, er, unhelpful and the responder didn't have an immediate answer to my issue.

    Overall they seemed cagey and unwilling to detail their PHP processing process. They simply said that they run all PHP scripts through their standard Plesk security extensions.

    This didn't tell me a whole lot but the Plesk responder did offer to re-enable short tags on the account (I do not have admin privilages on the account and only have an entry or reseller level access on he account so can't edit the core account php.ini myself).

    re-enabling short tags obviously solves the concern of outputting PHP details to the browser.

    I assume that there is something Plesk is doing similar to as described by axiac so am marking his/her answer as correct; although it doesn't solve the issue in this case, it does (most probably) seem to identify it.


  2. 0

    The included files are not read on the compilation phase but during runtime.

    Since your PHP interpreter doesn’t interpret the code in short tags and dumps it directly to the browser, it is not guilty for replacing the include statements with the content of the included files.
    There is no php.ini setting that could persuade it to behave like this.

    I can imagine other causes:

    • a PHP extension that replaces the include/require statements with the content of the included files;
    • a pre-processing script that does the same and/or combines multiple PHP files into a single one (Symfony does something similar);

    The purpose of such a processing is to optimize the script by minimizing its disk access.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search