As long as $_GET['page'] is validated properly (ie, check for only characters needed, (for files, usually a-z 0-9 - _ . is good)) there would not be the security issue of someone trying to get files out of the intended area.
I would suggest if you go that route, you do the following:
http://www.website1.com/?page=about-us
http://www.website1.com/?page=news
http://www.website1.com/?page=contact-us
Then, those particular files as php would get kept in a sub directory that contains ONLY files intended to be called this way, so you could do the following as your main index.php file:
Code: Select all
<?php
define ('PAGE_PATH',$_SERVER['DOCUMENT_ROOT'].'/path/to/files/');
$strPage = (isset($_GET['page'])) ? preg_replace('/[^a-z0-9._-]/i','',$_GET['page']) : 'index';
if ($strPage=='') { $strPage = 'index'; } // In case preg_replace wiped out everything
if (!is_file(PAGE_PATH.$strPage.'.php')) {
// They called non existant file
header('HTTP/1.0 404 Not Found');
$strPage = '404'; // Set to what will tell them there was a 404 call
if (!is_file(PAGE_PATH.$strPage.'.php')) {
// Just in case for some reason you didn't set the 404 page right...
die ('ERROR: Page Not Found.');
}
}
// Call that file and capture its output. Done here so we have vars for TITLE, META, etc...
// We capture the output to display in the page where we want it.
// NOTE!! all output from the included file should ALREADY be using entities, ready to go
ob_start();
require_once(PAGE_PATH.$strPage.'.php');
$strContent = ob_get_clean();
// Main links for the site for the interactive menu
$aryMenu = array('index'=>'Home Page','about-us'=>'About Us','news'=>'News','contact-us'=>'Contact Us');
?>
<html>
<head>
<title><?php echo htmlspecialchars($strTitle); ?></title>
<meta name="description" content="<?php echo htmlspecialchars($strDescription); ?>">
<meta name="keywords" content="<?php echo htmlspecialchars($strKeywords); ?>">
<!-- OTHER head ITEMS FOR YOUR SITE -->
</head>
<body>
<!-- Your markup for your page.... -->
<h1><?php echo htmlspecialchars($strHeading); ?></h1>
<!-- Other layout code up to your menu.... -->
<ul id="main-nav">
<?php
foreach($aryMenu as $link_page => $link_text) {
if ($link_page==$strPage) {
echo '<li class="active">',htmlspecialchars($link_text),"</li>\n";
}
else {
echo '<li><a href="/?page=',$link_page,'">',htmlspecialchars($link_text),"</a></li>\n";
}
}
?>
</ul>
<!-- Other layout code up to the main content... -->
<div id="content"><?php echo $strContent; ?></div>
<!-- The rest of your page layout.... -->
</body>
</html>
Then in the files you are including (/path/to/files/news.php for example), do something like this:
Code: Select all
<?php
if (!defined('PAGE_PATH')) { die ('ERROR: Invalid direct call to this file'); }
$strTitle = 'The News You Want!';
$strDescription = 'My Site News for my audience';
$strKeywords = 'News,Samples,Stuff';
$strHeading = 'Current News';
?>
<h2>Nov 3, 2011</h2>
<p>Something happened on this day</p>
<hr>
<h2>Nov 11, 2011</h2>
<p>This is a "Sample" of how entities need to be output here...</p>
As noted in the comments, the output from the included files needs to already be properly marked up with using entities.
This also prevents someone from directly browsing to the included files, they require a constant that is defined in the main index.php
Also, to take it a step further, you could set up mod_rewrite on the server by placing the following in
.htaccess
Code: Select all
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*) /index.php?page=$1 [L]
With this, you can then use the following links instead of the list above:
http://www.website1.com/about-us
http://www.website1.com/news
http://www.website1.com/contact-us
What the .htaccess files is doing is say "if the URL was not for an existing file, or and existing directory, and it was not specifically for favicon.ico, then call index.php and put what their request was at the end of
/index.php?page=
That is a quick rundown on how you can do it. As you can see, this can easily be modified to actually be database driven at this point!