What is the difference between include_path and open_basedir in PHP? My php.ini looks like this:
include_path = ".:/usr/share/php:/usr/share/pear:/var/www"
If, for example, I try using include('../../etc/passwd'); the file is included. On the other hand, when I'm modifying my php.ini like this the output is empty:
open_basedir = /var/www
Why is this? I thought that using include_path will restrict the file access to the directories listed there?
The include_path directive is a list of directories to look for included files first, similar to bash's $PATH environmental variable.
So an absolute file name/path like this:
include_once('/var/www/domain.com/htdocs/includes/header.php');
include_once('/var/www/domain.com/htdocs/includes/footer.php');
Can be replaced with a relative filename like this:
include_path('/var/www/domain.com/htdocs/includes:.');
include_once('header.php');
include_once('footer.php');
This is at least how I understand it. It has nothing to do with security and restricting directories, it is to create a custom search path for common includes.
open_basedir is what you are looking for, it limits the reading of files to the directories specified. Based on your question, it looks as though it is operating as designed.
