Content Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dmallia
Forum Commoner
Posts: 25
Joined: Sat Nov 19, 2011 3:18 pm

Content Script

Post by dmallia »

I would like a script to have the index.php file and than according what the user wants, the content is displayed. Example a user loads website1.com, and news is displayed, than the user on the menu clicks on about us and instead of having a new page loading, i would like that the index.php stays but instead of the news the about us content is loaded(sometimes i see pages having website1.com/index.php?page=aboutus.php). It is difficult for a new comer to php to do it? If you already have the script I would be glad if you post it. Thanks before hand.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Content Script

Post by Celauran »

website1.com/index.php?page=aboutus.php

This is done using GET requests and isn't terribly difficult. I don't see much advantage in doing it mind you, and it can be a huge potential security hazard if people start typing things like ?page=../../../etc/passwd
dmallia
Forum Commoner
Posts: 25
Joined: Sat Nov 19, 2011 3:18 pm

Re: Content Script

Post by dmallia »

so the best to do for security reasons is it to do separate pages like index.php, aboutus.php, contact us.php like html only pages?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Content Script

Post by Celauran »

That would certainly be preferable to including whatever argument gets passed in by URL.
dmallia
Forum Commoner
Posts: 25
Joined: Sat Nov 19, 2011 3:18 pm

Re: Content Script

Post by dmallia »

thanks :)
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Content Script

Post by twinedev »

As long as $_GET['page'] is validated properly (ie, check for only characters needed, (for files, usually a-z 0-9 - _ . is good)) there would not be the security issue of someone trying to get files out of the intended area.

I would suggest if you go that route, you do the following:
http://www.website1.com/?page=about-us
http://www.website1.com/?page=news
http://www.website1.com/?page=contact-us

Then, those particular files as php would get kept in a sub directory that contains ONLY files intended to be called this way, so you could do the following as your main index.php file:

Code: Select all

<?php
define ('PAGE_PATH',$_SERVER['DOCUMENT_ROOT'].'/path/to/files/');

$strPage = (isset($_GET['page'])) ? preg_replace('/[^a-z0-9._-]/i','',$_GET['page']) : 'index';
if ($strPage=='') { $strPage = 'index'; } // In case preg_replace wiped out everything
if (!is_file(PAGE_PATH.$strPage.'.php')) {
   // They called non existant file
   header('HTTP/1.0 404 Not Found');
   $strPage = '404'; // Set to what will tell them there was a 404 call
   if (!is_file(PAGE_PATH.$strPage.'.php')) {
      // Just in case for some reason you didn't set the 404 page right...
      die ('ERROR: Page Not Found.');
   }
}

// Call that file and capture its output. Done here so we have vars for TITLE, META, etc...
// We capture the output to display in the page where we want it.
// NOTE!! all output from the included file should ALREADY be using entities, ready to go

ob_start();
   require_once(PAGE_PATH.$strPage.'.php');
$strContent = ob_get_clean();

// Main links for the site for the interactive menu
$aryMenu = array('index'=>'Home Page','about-us'=>'About Us','news'=>'News','contact-us'=>'Contact Us');


?>
<html>
   <head>
      <title><?php echo htmlspecialchars($strTitle); ?></title>
      <meta name="description" content="<?php echo htmlspecialchars($strDescription); ?>">
      <meta name="keywords" content="<?php echo htmlspecialchars($strKeywords); ?>">
      <!-- OTHER head ITEMS FOR YOUR SITE -->
   </head>
   <body>
      <!-- Your markup for your page.... -->

      <h1><?php echo htmlspecialchars($strHeading); ?></h1>

      <!-- Other layout code up to your menu.... -->

      <ul id="main-nav">
         <?php
            foreach($aryMenu as $link_page => $link_text) {
               if ($link_page==$strPage) {
                  echo '<li class="active">',htmlspecialchars($link_text),"</li>\n";
               }
               else {
                  echo '<li><a href="/?page=',$link_page,'">',htmlspecialchars($link_text),"</a></li>\n";
               }
            }
         ?>
      </ul>

      <!-- Other layout code up to the main content... -->

      <div id="content"><?php echo $strContent; ?></div>

      <!-- The rest of your page layout.... -->
      
   </body>
</html>
Then in the files you are including (/path/to/files/news.php for example), do something like this:

Code: Select all

<?php
   if (!defined('PAGE_PATH')) { die ('ERROR: Invalid direct call to this file'); }
   $strTitle = 'The News You Want!';
   $strDescription = 'My Site News for my audience';
   $strKeywords = 'News,Samples,Stuff';
   $strHeading = 'Current News';
?>
<h2>Nov 3, 2011</h2>
   <p>Something happened on this day</p>
<hr>
<h2>Nov 11, 2011</h2>
   <p>This is a "Sample" of how entities need to be output here...</p>
As noted in the comments, the output from the included files needs to already be properly marked up with using entities.

This also prevents someone from directly browsing to the included files, they require a constant that is defined in the main index.php

Also, to take it a step further, you could set up mod_rewrite on the server by placing the following in .htaccess

Code: Select all

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*) /index.php?page=$1 [L]
With this, you can then use the following links instead of the list above:
http://www.website1.com/about-us
http://www.website1.com/news
http://www.website1.com/contact-us

What the .htaccess files is doing is say "if the URL was not for an existing file, or and existing directory, and it was not specifically for favicon.ico, then call index.php and put what their request was at the end of /index.php?page=


That is a quick rundown on how you can do it. As you can see, this can easily be modified to actually be database driven at this point!
Post Reply