Not unless I'm missing something. I just feel a little nervous about admin functions being available to anyone through a carefully written URL, even a hidden one.

Take a look at "Example 16-7. include() through HTTP"

There isn't a way around that

What we really need is for someone to shed some light on why pages aren't being found with URL variables. Perhaps it's a common mistake on our part.

Like you, I found that if I try to include extern.php with a relative path (ie: include"/forums/extern.php?action=news") it always failed. If I took off the query part (everything after the ?) it would pull the file but obviously show no results. If I use the absolute path (include"http://www.mysite.com/boards/extern.php etc.") then all is good... except that the global $pun_user info. isn't available to extern.php and neither is the cookie info. I wanted to be able to use that info. to conditionally display info. via extern.php -- like only showing the number of times a certain post has been viewed to admins and staff, not all visitors.

So, here's what I ended up doing:

In the calling page, for example index.php, I added the following lines to turn the $pun_user array into two strings, one with the names of each variable (like username, group_id) and one with the associated values (like joeblow, 2):
$keys=array_keys($pun_user);
$keys=implode(",",$keys);
$pun_user = implode(",",$pun_user);
$append = "&keys=".$keys."&pun_user=".$pun_user;

Then I pass that info. to extern.php by tagging $append onto the include like so:
include "http://www.mysite.com/forums/extern.php … amp;fid=14".$append;

Then I added some lines in extern.php to convert that info. back into the $pun_user array so that I can access them just like anywhere else.

$a="";
$b="";
$values="";
if(isset($_GET['keys'])) $a = $_GET['keys'];
if(isset($_GET['pun_user'])) $b = $_GET['pun_user'];
$a = explode (",",$a);
$b = explode (",",$b);
$num_var=count($b);
$c=array_chunk($a, $num_var);
$a=$c['0'];
$keys=array_values($a);
$values=array_values($b);
$pun_user = array();
for ($i = 0; $i < $num_var; $i++) {
$pun_user[$keys[$i]] = $values[$i]; }

What I'm doing here is first setting the variables we're going to use and checking to see if we have passed the $append info. (you might have instances of extern.php where you don't need that info. and this will prevent you from getting errors because extern.php is expecting $append).
$a="";
$b="";
$values="";
if(isset($_GET['keys'])) $a = $_GET['keys'];
if(isset($_GET['pun_user'])) $b = $_GET['pun_user'];

If $keys and $pun_user are set, I then turn them back into arrays via the explode() function.
$a = explode (",",$a);
$b = explode (",",$b);

Unless all of your users have filled out every possible field of user info. you're always going to end up with more field keys than field info -- as in, I didn't put in any IM or ICQ info. so those field names will be in the $keys array but will have no corresponding value in the $pun_user array. So I count the array that has your user values ($b) and then use the array_chunk() function to cut the $keys array to the same size:
$num_var=count($b);
$c=array_chunk($a, $num_var);
$a=$c['0'];

Finally, I'm using PHP4 so I don't have the array_combine() function available so the next lines were my workaround. Basically I just do a loop to add values to the array $pun_user.
$keys=array_values($a);
$values=array_values($b);
$pun_user = array();
for ($i = 0; $i < $num_var; $i++) {
$pun_user[$keys[$i]] = $values[$i]; }

There you go. Probably not the most elegant way to handle this and I don't know if there are any security implications (you are passing all of this info. via a $_GET), but it's working for me. After that access any of the $pun_user variables within extern.php just like you use them elsewhere.

I'm currently working on building a website off of PunBB 1.2.10. However, because relative paths across the /forum folder and others don't seem to want to cooperate on including pages with variables being passed through the URL ("include 'rightbar.php';" works fine, "include 'rightbar.php?pg=index';" does not, but get this: "include 'http://www.domain.com/rightbar.php?pg=index';" does the trick), I've given up and begun to use absolute paths (starting from "http://"). The problem here is that this method of includes seems to break cookie reading. Directly reading the pages will produce the right information, but including them from another page using a full URL will make me appear as a guest.

Is there anything I can do to read cookies from pages with absolute URLs, or will I be forced to stop using URL variables in included pages altogether?

P.S. I've tried the "base" header tag, but it didn't fix the problem.