Page 1 of 1
Include content, or include header and footer?
Posted: Sat Sep 28, 2002 11:08 am
by conthox
I wonder, what's the best thing to do? Thinking about including the content of a page
Code: Select all
<?php
//The menu and header
include "news.php"
//footer
?>
or including the header and a footer
Code: Select all
<?php
include "header.php";
//page content
include "footer.php";
?>
What do you think?
Posted: Sat Sep 28, 2002 11:21 am
by Takuma
I use the bottom... I think there isn't a difference between these two.
Posted: Sat Sep 28, 2002 11:25 am
by twigletmac
There isn't really a 'best' thing to do for every situation. Some people will do it one way and some will do it another. There are pluses and minuses to each approach so you should investigate these and then make your decision based on what you think will work best for you. I personally prefer the first approach of drawing content into a template but it is just a personal preference.
Mac
Posted: Sat Sep 28, 2002 11:52 am
by conthox
Ok, the thing is, I've heard that it is greater security in the second one, because the page.php?id=news gives the visitor the possibility to decide what to be included.
But, there is fewer files with the first one.
Posted: Sat Sep 28, 2002 12:08 pm
by Takuma
If you use $_POST, or $_GET you could stop that.
Here's the code to stop it.
Code: Select all
<?php
if(count($_POST) > 0) {
echo "Invalid Access";
}
if(count($_GET) > 0) {
echo "invadali Acess";
}
?>
Posted: Sun Sep 29, 2002 3:28 am
by twigletmac
Takuma wrote:If you use $_POST, or $_GET you could stop that.
Here's the code to stop it.
Code: Select all
<?php
if(count($_POST) > 0) {
echo "Invalid Access";
}
if(count($_GET) > 0) {
echo "invadali Acess";
}
?>
I don't think you quite got what was meant - if you have page.php?id=news and someone modifies that to page.php?id=
http://www.myhackersite.com/mynastypageofcode then if you are just doing:
Code: Select all
<?php
/* Header */
include $_GETї'id'].'.php';
/* Footer */
?>
in your page.php page then the person could possibly insert their own code into your page. So counting the number of elements of $_GET and $_POST isn't going to do anything to make that page more secure.
conthox wrote:Ok, the thing is, I've heard that it is greater security in the second one, because the page.php?id=news gives the visitor the possibility to decide what to be included.
What would give the first more security is some checking before you include the page. If you haven't got many maybe you could contain them in an array and check the value of $_GET['id'] to make sure it is in the array. You could also potentially use a database to store information about each page, in the process of retrieving that you could check whether $_GET['id'] exists in your site. The most important thing that needs to be done is to check to make sure that the information that is being taken from the query string contains no unexpected characters that would not be allowed in a filename. Just doing
should be avoided.
Mac
Posted: Sun Sep 29, 2002 3:51 am
by Coco
well personally i use include header + footer...
basically the idea with that being that i can edit the default style easily but override it where necessary
and also i have been using redirect ehaders a fair bit so its easier because i can just shift the header include down
Posted: Mon Sep 30, 2002 8:16 am
by conthox
Ok, thank you all for all replies!
Posted: Mon Sep 30, 2002 9:00 am
by Coco
welcome... basically you should do which of the 2 you feel more comfortable with
per aspera ad sierra