Page 1 of 1

Url Parameterizing

Posted: Tue Jul 28, 2009 3:56 pm
by tobimichigan
Hi there,
Please could anyone give me a lead on how to generate pages from a single php page like

index.php?action=login

I also want to generate the secure pages in this format too.

Thanks a bunch.. 8)

Re: Url Parameterizing

Posted: Wed Jul 29, 2009 2:01 pm
by tr0gd0rr
PHP Frameworks such as Zend, Cake and Symphony have a robust system for those types of schemes. At the very simplest, you can do something like the following:

Code: Select all

<?php
// index.php
$action = $_GET['action'];
$script = "./actions/$action.php";
if (!preg_match('/^[a-z0-9_-]+$/i', $action) || !is_file($script)) {
  $script = './404.php';
}
include($script);
The preg_match() check is just a simple security measure to ensure that the action string does not contain characters such as . or /

You can also use apache's mod_rewrite in .htaccess file to change pretty urls such as "/myaction/" into "index.php?action=myaction"

Re: Url Parameterizing

Posted: Wed Jul 29, 2009 2:06 pm
by Eran
A different approach is to check against a white-list array of allowed scripts. This way you have better control over what gets included, and where.

Code: Select all

$pages = array('home','profile','login','about');
if( in_array( $_GET['action'] , $pages ) ) {
    include($_GET['action'] . '.php');
} else {
    include('404.php'); //page not found
}

Re: Url Parameterizing

Posted: Wed Jul 29, 2009 6:16 pm
by tobimichigan
pytrin wrote:A different approach is to check against a white-list array of allowed scripts. This way you have better control over what gets included, and where.

Code: Select all

$pages = array('home','profile','login','about');
if( in_array( $_GET['action'] , $pages ) ) {
&nbsp; &nbsp; include($_GET['action'] . '.php');
} else {
&nbsp; &nbsp; include('404.php'); //page not found
}
tr0gd0rr wrote:PHP Frameworks such as Zend, Cake and Symphony have a robust system for those types of schemes. At the very simplest, you can do something like the following:

Code: Select all

<?php
// index.php
$action = $_GET['action'];
$script = "./actions/$action.php";
if (!preg_match('/^[a-z0-9_-]+$/i', $action) || !is_file($script)) {
&nbsp; $script = './404.php';
}
include($script);
The preg_match() check is just a simple security measure to ensure that the action string does not contain characters such as . or /

You can also use apache's mod_rewrite in .htaccess file to change pretty urls such as "/myaction/" into "index.php?action=myaction"

So guys where do these codes go? I suppose index.php? and the rest of the variable pages, r they supposed to be in a separate folder with a ref 'include' function?

Re: Url Parameterizing

Posted: Tue Aug 04, 2009 3:55 pm
by tr0gd0rr
@tobimichigan

I'm not sure exactly what you're asking. These scripts would be in an index.php page and all urls would be something like "index.php?action=home" which would include "home.php" from whatever directory you want. For example, line 4 of my snippet "$script = "./actions/$action.php";" would look for "home.php" in the same directory that contains "index.php".

Re: Url Parameterizing

Posted: Wed Aug 05, 2009 6:05 am
by tobimichigan
tr0gd0rr wrote:@tobimichigan

I'm not sure exactly what you're asking. These scripts would be in an index.php page and all urls would be something like "index.php?action=home" which would include "home.php" from whatever directory you want. For example, line 4 of my snippet "$script = "./actions/$action.php";" would look for "home.php" in the same directory that contains "index.php".
What if u wanted to parameterize from a login page say "login.php" and then other restricted pages?

Re: Url Parameterizing

Posted: Wed Aug 05, 2009 10:04 am
by tr0gd0rr
Sure, you can do the same thing for a login.php that we've done for index.php. The code would be essentially no different except maybe in login.php you want to check authentication. You can restrict access from directly accessing any of the pages by having all files except index.php and login.php outside the web root.

For example put scripts in /var/www/myapp/actions/, put index.php and login.php in /var/www/myapp/public/ and setup your web root so that http://example.com/ points to /var/www/myapp/public/. Then in line 4 of my snippet go up one directory: "$script = "../actions/$action.php";"

Re: Url Parameterizing

Posted: Sat Aug 08, 2009 8:30 pm
by tobimichigan
Thanks a mill tg much thanks for your invaluable contributions....