Page 1 of 1

PHP _GET, File Exists and include

Posted: Tue Feb 07, 2012 10:44 am
by Xsis
Hi Guys,

This is my first post on this board, but I'm quite sure it won't be the last :)

Well, I'm totally new at PHP Programming, so I could use some advice around some stuff. Right now i'm making a simple menu where all my content should get loaded into a <div>. it works perfectly, but the entire site refreshes everytime I click my links. can somebody please help me on this one? it's because i'm also running a javascript with a image rotator, and it resets everytime I press one of these links.

my code is currently quite simple. (I'm not that much into security right now, but I'll look into that when I get a basic understanding of php)
the a href goes like this

Code: Select all

<a href="index.php?page=content/news">Image</a>

and the code in the targeted div goes like this

Code: Select all

$page = $_GET["page"];

if (file_exists($page . ".php"))
{
include ($page . ".php");
}
else
{
echo ("404 Error - File Doesn't Exist");
}


Re: PHP _GET, File Exists and include

Posted: Tue Feb 07, 2012 5:41 pm
by Mordred
For the "don't reload the whole page" part, you'll need to read up on AJAX - jQuery has a really easy API to do that.
For your include question:
1. include intrinsicly checks if the file exists and nothing happens if it doesn't (there's another similar function, require() that gives an error if the file is not there)
2. This

include ($page . ".php");

can be written like this as well (much easier on the eyes, i think):

include ("$page.php");

And most importantly:
3. including from $_GET directly is a huge security risk. You should make a whitelist - a list of inclusions you would accept, check if the thing that comes from $_GET is in there and only include it if so. Otherwise you have a vulnerability known as RFI/LFI (remote/local file include - in your case can be both, depending on the server config)

4. If you want to do the 404 thing, you should do this:

header("HTTP/1.0 404 Not Found");

Re: PHP _GET, File Exists and include

Posted: Wed Feb 08, 2012 12:41 am
by Xsis
Thank you for the tips, i'll look up on AJAX about the reload page, thank you for the information about $_GET!