How to do this: explain.php?what=game_rules

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

How to do this: explain.php?what=game_rules

Post by qads »

on some sites i see this:

Code: Select all

explain.php?what=game_rules
and if i click a link on this page it goes like this:

Code: Select all

explain.php?what=TOS
how do i get diffrenet content on same page like this?
and how do get to it, by that i mean do i have to do this?

Code: Select all

pagename.php?name=something
thanks in adv
epsilon
Forum Newbie
Posts: 11
Joined: Fri Apr 19, 2002 10:20 am
Location: Belgium
Contact:

Post by epsilon »

A 'switch' command is used to do it.
I don't know how to use it though.
Brian
Forum Contributor
Posts: 116
Joined: Thu Apr 18, 2002 5:33 pm

One Way To Do It

Post by Brian »

You could do something like this:

Code: Select all

switch ($_GETї'what']) {

case "game_rules":

  include("../path/rules.file");

  break;

case "TOS":

  include("../path/tos.file");

  break;

case "secret":

  include("../path/jokes.file");

  break;

default:

  print("<P>Please make a selection</P>
");

  printOptionsMenu();

&#125;
There are other ways to do it too. It is up to you.
Jim
Forum Contributor
Posts: 238
Joined: Fri Apr 19, 2002 5:26 am
Location: Near Austin, Texas

Post by Jim »

I do this on my site. It's pretty simple.

I use includes.

For instance, to access some of the HTML tutorials I have, I create a page called page.php with something like this on it:

Code: Select all

<?
include("/home/mysite/public_html/html/page.php?name=$name");
?>
Then I create a link to page.php that looks like this:

http://www.mysite.com/html/page.php?name=filename.php

It goes to page.php and puts whatever file I ask it to in the body section of my page :)

I probably haven't done a great job explaining, so if you'd like to see it in action go to http://www.maxxxtorque.com/prodigy.

Hope this helps!
Brian
Forum Contributor
Posts: 116
Joined: Thu Apr 18, 2002 5:33 pm

Be careful!

Post by Brian »

When developing something like that, you should be aware that someone can do something like this:

http://www.maxxxtorque.com/prodigy/php/ ... /index.php

Imagine if you had something sensitive on your server like this:

http://www.maxxxtorque.com/prodigy/php/ ... .passwords

One thing you might want to consider is disallowing any URL that contains periods or slashes. You should always validate user input before using it.
Jim
Forum Contributor
Posts: 238
Joined: Fri Apr 19, 2002 5:26 am
Location: Near Austin, Texas

Post by Jim »

Well, the thing is I'd have to have my passwords in the HTML directory for people to be able to see them.

If you use the link I described above, it will only find files in:

http://www.maxxxtorque.com/prodigy/html

rather than all of prodigy or maxxxtorque.com.

I've tried to mess around with the URLs for a while, but everything seems secure. Then again, I'm a n00b so I dont know what I'm talking about.

Do you mind <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> around with it and telling me if something is up?
Thanks amigo!
qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

Post by qads »

thanks guys, althogh i don't fully understand what th hell u are on about but i am sure i can get it in time :roll: .

thanks alot
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

You could use if...else statements ie:

Code: Select all

<?php
$_GET&#1111;'page'] = $page;
if ($page == 'page1') &#123;
    $pagename = 'page1.php';
&#125; elseif ($page == 'page2') &#123;
    $pagename = 'thispage.php';
&#125; elseif ($page == 'page3') &#123;
    $pagename = 'anotherpage.php';
&#125;
include '$pagename';
?>
That's not too bad if you don't have too many pages and is a bit more secure than just using:

Code: Select all

<?php
$page = $_GET&#1111;'page'];
include $page.'.php';
?>
Which leaves you open to people trying to pass urls like:
http://www.mydomain.com/content.php?pag ... php_script

Always good to be secure,

Mac
User avatar
sam
Forum Contributor
Posts: 217
Joined: Thu Apr 18, 2002 11:11 pm
Location: Northern California
Contact:

Post by sam »

However this:

Code: Select all

include("/home/mysite/public_html/html/page.php?$page.php");
Is a littel bit more secure than using

Code: Select all

include("/home/mysite/public_html/html/page.php?name=$name");
Because they can only access php files and not password files etc...
Personally I don't like to use includes to inclode html pages anyway.
I always include a header footer in the pages rather than the other way around.

Cheers Sam
Brian
Forum Contributor
Posts: 116
Joined: Thu Apr 18, 2002 5:33 pm

Includes Selected Via Query Strings

Post by Brian »

Of course, you could always verify that the requested file actually exists on the local system before attempting to include it. You could also pattern match it. You could also take a nap. The latter may not have immediate benefits, but you may awaken refreshed and ready for inspiration. :)
Gremlin
Forum Newbie
Posts: 13
Joined: Thu May 02, 2002 7:03 pm
Location: California
Contact:

slightly diff approach

Post by Gremlin »

If you are using a DB to store your contents, you can also

.. example table Contents
...example fields title (limit to certain size.) and data (make it larger than title ..) maybe description
set up an entry to be your default page. ie INSERT INTO Contents (title,data,description) VALUES ("Default","content for entry goes here. ie a link list..make sure to striplslashes etc","Default page")
have a index.php?title=Default page with whatever you want,

query the db for the entries
use a while loop to check for any entries (mysql_num_rows) and if a result is returned simply loop each entries contents (title and desc) into a table.. in the url for each do something like
<td width="200"><a href="something.com/this.php?title=<?print"$row->title>$description?></a></td>
at end of loop make sure to close table..
now that i think about this, maybe this was't quite what you were looking for.. but for a new php user this can be exciting.
dusty
Forum Contributor
Posts: 122
Joined: Sun Apr 28, 2002 9:52 pm
Location: Portsmouth, VA

Post by dusty »

simple way to check for security reasons:

Code: Select all

<?
// pass the include through the url ie: index.php?var=page
$allow = array('page.php','page2.php');
$require = "$var.php";
if(!in_array($require,$allow)) &#123;
  die("Nice try!");
&#125;
?>

<table>
  <tr>
    <td><?require($require)?></td>
  </tr>
</table>
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

i use

Code: Select all

if(isset($var))&#123;
include('$var');
&#125;
but you could do something like

Code: Select all

if(isset($var)){
 if($var == "Item"){
include('Item.php');
} else {
echo "hey thats not a choice";
}
}
pretty simple
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

*sigh*

Post by phice »

Code: Select all

<?
if ($var) &#123;
$var = "dir/" . $var . ".php";
include($var);
&#125; else &#123;
include("startFile.php");
&#125;
?>
dusty
Forum Contributor
Posts: 122
Joined: Sun Apr 28, 2002 9:52 pm
Location: Portsmouth, VA

Post by dusty »

from what i've seen i'd still say that using in_array would be the most secure method w/o all of the lengthy if statements. rather than having an if for each link.. just put the valid files in an array and check if they're valid before including.

using the dir/var.php could be cracked by creating the same dir name and file name and including that from a different server leaving off the dir and .php

using isset wouldn't help security wise, just would prevent (like the func name) unset variables from being included.
Post Reply