Page 1 of 1

php URL Query String

Posted: Mon Oct 27, 2003 1:51 pm
by jackbourne
Hey guys, I am still very new to php, but I found the code

ini_set('include_path', '');
switch ($_GET['get']) {
case 'legal':
include('legal/legal.php');
break;
default:
include('error.php');
break;
}

that turned my URL into something like
"http://localhost/index.php?get=legal"

but my problem is that it only links one page, what would I need to do if I wanted the "http://localhost/index.php?get=" to open a file inside

"bin/test/file.php" dirctory? that might look something like
"http://localhost/index.php?get=bin&keyword=file"

I hope that makes sanse.
Thanks guys

Posted: Mon Oct 27, 2003 4:51 pm
by volka
you have to be very careful if you allow users to determine the file that is read/executed.
At least do something like

Code: Select all

<?php
if ( isset($_GET['get']) && !empty($_GET['get']) )
	$requestedFile =  basename($_GET['get']);
	
if(strlen(@$requestedFile) == 0 || !is_file($requestedFile))
	$requestedFile = 'error.php';

include($requestedFile);
?>
a more pessimistic version is to define a set of allowed files and only include the requetsed document if its name is in that set

Code: Select all

<php
$allowedDocuments = array(
		'docA.php', 'docB.php',
		'docC.php', 'docD.php'
	);
	
if ( !isset($_GET['get']) || !in_array($allowedDocuments, $_GET['get']) )
	$requestedFile = 'error.php';
else
	$requestedFile = $_GET['get'];

include($requestedFile);
?>