Brackets across includes

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello all,

I am trying to create a user authentication system, and I would like to
separate the authentication code into include files. As I see it, the
basic flow would go something like this:

if (not authentic) {
display login
} else {
display content

I would like to separate this code so that the login bit is in an
included file. I imagined the breakup like this:

file: [auth_head.php]
if (not authentic) {
display login
} else {

file: [auth_foot.php]

So in each file which requires authentication, I can simply include the
first bit in the head, the second bit at the bottom, and put the
content in the middle. Makes sense, right?

Unfortunately, it seems that you cannot continue a { bracket }
statement across includes in this manner, as php errors. (It wants you
to wrap up your brackets before the end of the file.)

Does anyone know of a solution to this problem, or perhaps a

Thanks very much, in advance.

-- Whit Nelson

Re: Brackets across includes wrote:
Quoted text here. Click to load it

In cases users not logged in may not see the whole page, I just:

if(not authentic){
    header('HTTP/1.0 401 Unauthorized');
    /* or alternatively you could redirect to the/a login page :
    header('Location: '); */
//rest of code, which will not be displayed or run. No need for brackets

Rik Wasmus

Re: Brackets across includes

*** escribió/wrote (24 Aug 2006 11:29:57 -0700):
Quoted text here. Click to load it


-+ - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web:
+- Mi web de humor con rayos UVA:

Re: Brackets across includes wrote:

Quoted text here. Click to load it

It's ugly, it's messy and it's unmaintainable. Even if you could do it, its
not a good idea. You should apply the same discipline to any HTML fragments
you put in include files - opening and closing tags should match.

A better way of doing this is:

if (! $authenticated()) {
} else {

There's a lot of reasons for all the changes to your code in the above.



Re: Brackets across includes wrote:
Quoted text here. Click to load it

Before you start coding, try to get your concepts straight first.
Authentication determines the identity of the user. Authorization
determines if the user has permission to do something. These are
separate concepts and should be implemented as separate procedures.

When you restrict access to a page, the question you ask is "Is this
visitor permitted to view this page?" "The visitor is Joe Black"
clearly isn't a sufficient answer. To answer the question, you might
need to know who the visitor is--or might not. Authorization could be
granted on the basis of IP address for instance, or it could be granted
based on an authorization token received from a trusted source. It
could even be based on the time of day (e.g. "visitors are allowed from

To reiterate: identity =/=> permission. Too many people get this wrong.

As Alvaro noted, you should use functions. Performing tasks by
including files is a primitive, stupid way to program. Include files
should only contain function/class declarations that're used by the
actual, executable script.

Here's an example of an authorization scheme. At the top of every page,
you would have something like this:




/* do stuff */


Again, the question we're asking is "Is the visitor permitted to view
this page?". It's a authorization question--not authentication--hence
the function name. The parameter is the authority required for a
particular page. Here we'll use a simple numeric system. Zero authority
means the page is unrestricted. The function call might seem redundant
for this case, but it's useful to have the system cover the whole site.
If in the future you need to completely deny access to, say, a
particular IP address, the hooks are in place already.

The CheckAuthorization function would look something like this:


function CheckAuthorization($required_level) {
  $visitor_level = GetVisitorPermissionLevel();
  if($visitor_level < $required_level) {
    header("Location: login.php");
  return true;

function GetVisitorPermissionLevel() {
  if(isset($_SESSION['visitor_permission_level'])) {
    return $_SESSION['visitor_permission_level'];
  return 0;

function AuthorizeVisitor($level_granted) {
  $_SESSION['visitor_permission_level'] = $level_granted;


The logic is fairly simple: If the visitor doesn't have the necessary
authority, then he's send to a login page. During the login process,
AuthorizeVisitor() would be called with a certain permission level,
perhaps retrieved from a database, once the visitor's identity is
acertained. The code might look something like this:

if(AuthenticateUser($_POST['login'], $_POST['password'])) {
   $user_level = GetUserPermissionLevel($_POST['login']);

The key, again, is that authentication is separate and distinct from
authorization. Keeping the distinction make the process clearer and
leaves options open for changes down the line. For instance, it'd be
relatively straight forward to extend the example above to support a
second method of authentication (e.g. HTTP).

Re: Brackets across includes wrote:
Quoted text here. Click to load it


The easiest way I've found doesn't require functions or anything else.  
It also allows you to have the authorization only those pages which  
require it.


   if (!isset($_SESSION['loggedon']) || $_SESSION['loggedon != true']) {

This checks the $_SESSION['loggedon'] variable to see if it is set and  
true.  If so, the process allows the rest of the page to be displayed.  
If not, it redirects the user to 'logon.php'.

Change the test as necessary for your system.  Then just


at the very start (before anything - even DOCTYPE or white space) of any  
php file requiring authentication.

No function calls to fool with, no worries about mismatched braces, etc.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline