{ "slug": "include_require", "term": "include vs require vs *_once", "category": "php", "difficulty": "beginner", "short": "require halts on failure; include warns and continues. The _once variants prevent double-loading — use require_once for dependencies.", "long": "PHP has four file-loading constructs. require emits a fatal error and halts if the file is missing — use for files the application cannot function without. include only emits a warning and continues — use for optional components. require_once and include_once track loaded files and skip re-loading, preventing function/class redeclaration errors. Best practice: use require_once for class and library files, require for critical config, include for optional template partials. Never use any of them with user-supplied paths.", "aliases": [ "require", "include", "require_once", "include_once" ], "tags": [ "php", "file-loading", "autoloading" ], "misconception": "include and require are interchangeable. include emits a warning on failure and execution continues; require emits a fatal error and halts. Use require for files the application cannot function without, include only for truly optional ones.", "why_it_matters": "include() silently continues on failure while require() halts — using the wrong one in different situations masks missing files or allows execution to continue in a broken state.", "common_mistakes": [ "Using include() for core application files — a missing controller or model should be a fatal error, not a silent skip.", "Using require() for optional features or plugins that may legitimately not exist.", "Not using _once variants for files that define classes or functions — double inclusion causes fatal redeclaration errors.", "Using user-controlled paths in include/require — enables local and remote file inclusion attacks." ], "when_to_use": [], "avoid_when": [], "related": [ "lfi", "path_traversal" ], "prerequisites": [ "lfi", "php_compilation_pipeline", "autoloading" ], "refs": [ "https://www.php.net/manual/en/function.require-once.php" ], "bad_code": "// Dynamic include with user input — LFI\n\\$page = \\$_GET['page'];\ninclude \"pages/\\$page.php\"; // ?page=../../etc/passwd", "good_code": "// require = fatal error if missing (critical files)\n// include = warning only (optional parts)\n// _once variants prevent re-inclusion\n\nrequire_once 'bootstrap/app.php'; // must exist\ninclude_once 'partials/sidebar.php'; // optional\n\n// NEVER include user-supplied paths — use an allowlist:\n\\$allowed = ['home', 'about', 'contact'];\n\\$page = in_array(\\$_GET['page'] ?? '', \\$allowed, true) ? \\$_GET['page'] : 'home';\ninclude \"pages/{\\$page}.php\";\n\n// php.ini: allow_url_include = Off (always off)", "quick_fix": "Use Composer autoloading instead of manual include/require statements — it's faster (classmap), more secure, and eliminates the error-prone practice of building file paths from variables", "severity": "high", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/include_require", "html_url": "https://codeclaritylab.com/glossary/include_require", "json_url": "https://codeclaritylab.com/glossary/include_require.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[include vs require vs *_once](https://codeclaritylab.com/glossary/include_require) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/include_require" } } } }