PHP _GET, File Exists and include

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Xsis
Forum Newbie
Posts: 10
Joined: Tue Feb 07, 2012 10:38 am

PHP _GET, File Exists and include

Post by Xsis »

Hi Guys,

This is my first post on this board, but I'm quite sure it won't be the last :)

Well, I'm totally new at PHP Programming, so I could use some advice around some stuff. Right now i'm making a simple menu where all my content should get loaded into a <div>. it works perfectly, but the entire site refreshes everytime I click my links. can somebody please help me on this one? it's because i'm also running a javascript with a image rotator, and it resets everytime I press one of these links.

my code is currently quite simple. (I'm not that much into security right now, but I'll look into that when I get a basic understanding of php)
the a href goes like this

Code: Select all

<a href="index.php?page=content/news">Image</a>

and the code in the targeted div goes like this

Code: Select all

$page = $_GET["page"];

if (file_exists($page . ".php"))
{
include ($page . ".php");
}
else
{
echo ("404 Error - File Doesn't Exist");
}

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP _GET, File Exists and include

Post by Mordred »

For the "don't reload the whole page" part, you'll need to read up on AJAX - jQuery has a really easy API to do that.
For your include question:
1. include intrinsicly checks if the file exists and nothing happens if it doesn't (there's another similar function, require() that gives an error if the file is not there)
2. This

include ($page . ".php");

can be written like this as well (much easier on the eyes, i think):

include ("$page.php");

And most importantly:
3. including from $_GET directly is a huge security risk. You should make a whitelist - a list of inclusions you would accept, check if the thing that comes from $_GET is in there and only include it if so. Otherwise you have a vulnerability known as RFI/LFI (remote/local file include - in your case can be both, depending on the server config)

4. If you want to do the 404 thing, you should do this:

header("HTTP/1.0 404 Not Found");
Xsis
Forum Newbie
Posts: 10
Joined: Tue Feb 07, 2012 10:38 am

Re: PHP _GET, File Exists and include

Post by Xsis »

Thank you for the tips, i'll look up on AJAX about the reload page, thank you for the information about $_GET!
Post Reply