PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
There isn't really a 'best' thing to do for every situation. Some people will do it one way and some will do it another. There are pluses and minuses to each approach so you should investigate these and then make your decision based on what you think will work best for you. I personally prefer the first approach of drawing content into a template but it is just a personal preference.
Ok, the thing is, I've heard that it is greater security in the second one, because the page.php?id=news gives the visitor the possibility to decide what to be included.
I don't think you quite got what was meant - if you have page.php?id=news and someone modifies that to page.php?id=http://www.myhackersite.com/mynastypageofcode then if you are just doing:
<?php
/* Header */
include $_GETї'id'].'.php';
/* Footer */
?>
in your page.php page then the person could possibly insert their own code into your page. So counting the number of elements of $_GET and $_POST isn't going to do anything to make that page more secure.
conthox wrote:Ok, the thing is, I've heard that it is greater security in the second one, because the page.php?id=news gives the visitor the possibility to decide what to be included.
What would give the first more security is some checking before you include the page. If you haven't got many maybe you could contain them in an array and check the value of $_GET['id'] to make sure it is in the array. You could also potentially use a database to store information about each page, in the process of retrieving that you could check whether $_GET['id'] exists in your site. The most important thing that needs to be done is to check to make sure that the information that is being taken from the query string contains no unexpected characters that would not be allowed in a filename. Just doing
basically the idea with that being that i can edit the default style easily but override it where necessary
and also i have been using redirect ehaders a fair bit so its easier because i can just shift the header include down