Page 1 of 2

How to do this: explain.php?what=game_rules

Posted: Sat Apr 27, 2002 7:01 am
by qads
on some sites i see this:

Code: Select all

explain.php?what=game_rules
and if i click a link on this page it goes like this:

Code: Select all

explain.php?what=TOS
how do i get diffrenet content on same page like this?
and how do get to it, by that i mean do i have to do this?

Code: Select all

pagename.php?name=something
thanks in adv

Posted: Sat Apr 27, 2002 7:09 am
by epsilon
A 'switch' command is used to do it.
I don't know how to use it though.

One Way To Do It

Posted: Sat Apr 27, 2002 8:48 am
by Brian
You could do something like this:

Code: Select all

switch ($_GETї'what']) {

case "game_rules":

  include("../path/rules.file");

  break;

case "TOS":

  include("../path/tos.file");

  break;

case "secret":

  include("../path/jokes.file");

  break;

default:

  print("<P>Please make a selection</P>
");

  printOptionsMenu();

&#125;
There are other ways to do it too. It is up to you.

Posted: Sat Apr 27, 2002 8:59 am
by Jim
I do this on my site. It's pretty simple.

I use includes.

For instance, to access some of the HTML tutorials I have, I create a page called page.php with something like this on it:

Code: Select all

<?
include("/home/mysite/public_html/html/page.php?name=$name");
?>
Then I create a link to page.php that looks like this:

http://www.mysite.com/html/page.php?name=filename.php

It goes to page.php and puts whatever file I ask it to in the body section of my page :)

I probably haven't done a great job explaining, so if you'd like to see it in action go to http://www.maxxxtorque.com/prodigy.

Hope this helps!

Be careful!

Posted: Sat Apr 27, 2002 9:21 am
by Brian
When developing something like that, you should be aware that someone can do something like this:

http://www.maxxxtorque.com/prodigy/php/ ... /index.php

Imagine if you had something sensitive on your server like this:

http://www.maxxxtorque.com/prodigy/php/ ... .passwords

One thing you might want to consider is disallowing any URL that contains periods or slashes. You should always validate user input before using it.

Posted: Sat Apr 27, 2002 9:52 am
by Jim
Well, the thing is I'd have to have my passwords in the HTML directory for people to be able to see them.

If you use the link I described above, it will only find files in:

http://www.maxxxtorque.com/prodigy/html

rather than all of prodigy or maxxxtorque.com.

I've tried to mess around with the URLs for a while, but everything seems secure. Then again, I'm a n00b so I dont know what I'm talking about.

Do you mind <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> around with it and telling me if something is up?
Thanks amigo!

Posted: Sat Apr 27, 2002 10:03 am
by qads
thanks guys, althogh i don't fully understand what th hell u are on about but i am sure i can get it in time :roll: .

thanks alot

Posted: Sat Apr 27, 2002 10:39 am
by twigletmac
You could use if...else statements ie:

Code: Select all

<?php
$_GET&#1111;'page'] = $page;
if ($page == 'page1') &#123;
    $pagename = 'page1.php';
&#125; elseif ($page == 'page2') &#123;
    $pagename = 'thispage.php';
&#125; elseif ($page == 'page3') &#123;
    $pagename = 'anotherpage.php';
&#125;
include '$pagename';
?>
That's not too bad if you don't have too many pages and is a bit more secure than just using:

Code: Select all

<?php
$page = $_GET&#1111;'page'];
include $page.'.php';
?>
Which leaves you open to people trying to pass urls like:
http://www.mydomain.com/content.php?pag ... php_script

Always good to be secure,

Mac

Posted: Sat Apr 27, 2002 1:50 pm
by sam
However this:

Code: Select all

include("/home/mysite/public_html/html/page.php?$page.php");
Is a littel bit more secure than using

Code: Select all

include("/home/mysite/public_html/html/page.php?name=$name");
Because they can only access php files and not password files etc...
Personally I don't like to use includes to inclode html pages anyway.
I always include a header footer in the pages rather than the other way around.

Cheers Sam

Includes Selected Via Query Strings

Posted: Sat Apr 27, 2002 4:44 pm
by Brian
Of course, you could always verify that the requested file actually exists on the local system before attempting to include it. You could also pattern match it. You could also take a nap. The latter may not have immediate benefits, but you may awaken refreshed and ready for inspiration. :)

slightly diff approach

Posted: Thu May 02, 2002 7:03 pm
by Gremlin
If you are using a DB to store your contents, you can also

.. example table Contents
...example fields title (limit to certain size.) and data (make it larger than title ..) maybe description
set up an entry to be your default page. ie INSERT INTO Contents (title,data,description) VALUES ("Default","content for entry goes here. ie a link list..make sure to striplslashes etc","Default page")
have a index.php?title=Default page with whatever you want,

query the db for the entries
use a while loop to check for any entries (mysql_num_rows) and if a result is returned simply loop each entries contents (title and desc) into a table.. in the url for each do something like
<td width="200"><a href="something.com/this.php?title=<?print"$row->title>$description?></a></td>
at end of loop make sure to close table..
now that i think about this, maybe this was't quite what you were looking for.. but for a new php user this can be exciting.

Posted: Thu May 02, 2002 7:26 pm
by dusty
simple way to check for security reasons:

Code: Select all

<?
// pass the include through the url ie: index.php?var=page
$allow = array('page.php','page2.php');
$require = "$var.php";
if(!in_array($require,$allow)) &#123;
  die("Nice try!");
&#125;
?>

<table>
  <tr>
    <td><?require($require)?></td>
  </tr>
</table>

Posted: Thu May 02, 2002 10:24 pm
by hob_goblin
i use

Code: Select all

if(isset($var))&#123;
include('$var');
&#125;
but you could do something like

Code: Select all

if(isset($var)){
 if($var == "Item"){
include('Item.php');
} else {
echo "hey thats not a choice";
}
}
pretty simple

*sigh*

Posted: Thu May 02, 2002 11:00 pm
by phice

Code: Select all

<?
if ($var) &#123;
$var = "dir/" . $var . ".php";
include($var);
&#125; else &#123;
include("startFile.php");
&#125;
?>

Posted: Thu May 02, 2002 11:24 pm
by dusty
from what i've seen i'd still say that using in_array would be the most secure method w/o all of the lengthy if statements. rather than having an if for each link.. just put the valid files in an array and check if they're valid before including.

using the dir/var.php could be cracked by creating the same dir name and file name and including that from a different server leaving off the dir and .php

using isset wouldn't help security wise, just would prevent (like the func name) unset variables from being included.