Page 1 of 1
newbie's question
Posted: Tue May 31, 2005 1:09 pm
by scorpio2002
Hi there!
I'm new to php and I've recently learnt to use "include" to include a file in my php page. Now I'd like to be able to achieve more.
I'd like "include" to work with variables. For example... It I type "
http://www.mypage.it/index?=credits.html " I'd like the include command to include the page credits.html.
If I'm not mistaken, the following site uses something like that:
http://www.baslug.org/index.php
Is that possibile?
Thank you in advance.
Donato
p.s.: sorry for my English...
Posted: Tue May 31, 2005 1:40 pm
by Skara
wrong forum. Use this instead:
http://example.com/?file=example.html
then,
Code: Select all
if (file_exists($_GET['file'])) include $_GET['file'];
else print("File not found.");
Posted: Tue May 31, 2005 2:15 pm
by Ambush Commander
Do not use that code
It can introduce serious security problems. Make sure that the filename is in an allowed directory.
Posted: Tue May 31, 2005 3:43 pm
by scorpio2002
Do not use that code
ehm.. could you be clearer? What's the secutiry issue with this code? And so, what should I use to achieve what I want?
Thank you in advance

Posted: Tue May 31, 2005 4:26 pm
by John Cartwright
I tend to create an array of accepted pages.
Code: Select all
$valid = array('home','news','forums');
And when calling a page I see whether or not it exists in the page.
If it exists, then the page call is valid, if not, redirect them somewhere else, such as a 404 page.
You should also make sure the page exists, just because thats common sense
Code: Select all
//make sure $page has a value, if not assign it a default
$page = !empty($_GETї'page']) ? $_GETї'page'] : 'home';
if (in_array($page,$valid) && file_exists($page.'.php'))
{
include($page.'.php');
}
else
{
include('404.html');
}
Without doing this check, you could potentially load of php script from another server, and it could 1) bring down your site and possibly server 2) gather important information about your site
an example of this attack would be
http://www.domain.com/?page=http://badd ... script.php
Posted: Tue May 31, 2005 5:03 pm
by Chris Corbyn

Moved to PHP Code

Posted: Tue May 31, 2005 6:59 pm
by Skara
Ambush Commander wrote:Do not use that code
It can introduce serious security problems. Make sure that the filename is in an allowed directory.
Of course. But as he's a newb, I doubt he's designing some high-profile site or anything.

Posted: Wed Jun 01, 2005 2:48 am
by CoderGoblin
Skara wrote:
Of course. But as he's a newb, I doubt he's designing some high-profile site or anything.

Better to learn how to do things correctly from the start though. If you program well while learning it will become instinctive.
Posted: Wed Jun 01, 2005 4:40 am
by timvw
I've found
http://www.php.net/realpath to be very usefull to determine if the file is really in the wanted directory....