0

I have this php file graph.php 

$host = $_POST['hostname'];
echo $type=$_POST['type_char'];
include('rrdtools.inc.php');
include('graphs/'.$type.'.inc.php');

and I trying to send data to this file using this ajax code 

var type_char='fortigate_cpu';//$('#graph').val();
var hostname='10.10.0.144';//$(this).attr('id');
//$('#device_host').val(id);

$.ajax({
    type: 'POST',
    url: 'SNMP/graph.php',
    data: { hostname:hostname,type_char:type_char },
    success: function(data) {
        alert(data);
        // show the response
        $("#grph").attr("src", 'SNMP/graph.php');
        console.log(data);
    }
});

the result when I send data to that file is

fortigate_cpu as a value of type_char variable when I opened error.log file in apache logs I have this message

include(): Failed opening 'graphs/.inc.php' for inclusion (include_path='.:/usr/share/php')

as you see the value of fortigate not included in include function even if the char_type variable is send by ajax and printed in page include file must be as this 

include( 'graphs/fortigate_cpu.inc.php')

why type not included in the include session even if the variable is received from ajax

Improve this question
8
  • 1. how this ajax get fired? 2. Are it's hitting the correct URL SNMP/graph.php?3. Did you checked you browser console that no error is there like URL NOT FOUND ?4. try to print POST data first on the php page to see data coming or not? Commented Sep 10, 2018 at 8:01
  • the url is right and as u see I can print the result of ajax variable $type but when I trying to include file ('graphs/'.$type.'inc.php') the result in log file is can not find file(graphs/inc.php) even if the result of echo $type; is 'fortigate _cpu' ie the value can be received by php from ajaax Commented Sep 10, 2018 at 8:06
  • so maybe in the include('rrdtools.inc.php'); the variable is set to null ? Commented Sep 10, 2018 at 8:07
  • 2
    doing something like this is not a good idea from a security point of view. You're potentially allowing an attacker to execute arbitrary code. By all means you could use the input variables to help decide which code gets executed, but I really wouldn't let it directly specify the name of the file to use. It's asking for trouble IMO Commented Sep 10, 2018 at 8:13
  • 2
    Regarding the issue, your code looks like it should work. So I'd say either a) the postback is not actually being caused by ajax (e.g. maybe a form submit to the same script happens at the same time - we don't know how you trigger your ajax), or b) The $type variable conflicts with another global variable of the same name in rrdtools.inc.php and is being set to empty again within that script. Again we can't see it. But looking at the code those are the only two things I can think of which look like it could cause it. Commented Sep 10, 2018 at 8:16

1 Answer 1

Reset to default
1

As was mentioned by other users in the comments, maybe your issue is that you are setting type to a different value after including rrdtools.inc.php .

Try randomizing ( changing the name), of the type variable:

$host = $_POST['hostname'];
echo $type123456=$_POST['type_char'];
include('rrdtools.inc.php');
include('graphs/'.$type123456.'.inc.php');

It's the only thing I can think of, since both I (and others) have tested your code. (both front-end and back-end).

PS: Include using post param is a bad practice.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.