problems with path

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
dizeta
Forum Commoner
Posts: 47
Joined: Mon Feb 02, 2004 9:53 am

problems with path

Post by dizeta »

hi,

i have this problem:
i'm using a template system
index.php:

Code: Select all

include("header.php");

include("menu.php");
$p="main";
if(isset($_GET['page'])){
    $p=$_GET['page'];
    if($p!=basename($p) || !preg_match("/^[A-Za-z0-9\-_]+$/",$p) || $p=="index" || !file_exists($p.".php"))
        $p="error";
    }

include($p.".php");
include("footer.php");
the problem is that script is loading pages that are stored into the same index directory.
for example querystring like:

Code: Select all

index.php?page=login
it works 'cause login.php is into the same index directory, but if login.php is stored into auth/login.php the querystring doesn't work


i'd like to modify that script to allow me insert different paths.

thank's to all
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Have you tried

index.php?page=auth%2Flogin

?
User avatar
dizeta
Forum Commoner
Posts: 47
Joined: Mon Feb 02, 2004 9:53 am

Post by dizeta »

yes and doesn't work...
:?:
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

That is because if you have $_GET['page'] = 'auth/foo.php'

basename($p) is not equal to $p...
User avatar
dizeta
Forum Commoner
Posts: 47
Joined: Mon Feb 02, 2004 9:53 am

Post by dizeta »

mmh...

i'm not sure to understand :?

auth/login is just a example, because i can have different scripts running and so need different paths...

i.e:
login = auth/login
news = news/news
admin = admin/index
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Well, your code has if($p!=basename($p)..

So, if you understand what that your code does, you'll understand why it doesn't allow ?page=auth/foo...

Simply remove the test.. and things work.. But you want to avoid people requesting pages that are not in the document_base... So you might be interested in realpath to test if it's really in the document_base...
User avatar
dizeta
Forum Commoner
Posts: 47
Joined: Mon Feb 02, 2004 9:53 am

Post by dizeta »

hi,

after almost a week i've found the solution.. :lol:

Code: Select all

$sectionFolder = 'sections/';
if( $handle = &opendir( $sectionFolder ) ) {
    $sections = Array();
    while( false !== ( $file = &readdir( $handle  ) ) ) {
        if( array_pop( explode( '.', $file ) ) == 'php' ) {
            array_push( $sections, substr( $file, 0, -4 ) );
        }
    }
    if( isset( $_GETї'page'] ) == false || $_GETї'page'] == 'main' ) {
        $_GETї'page'] = 'main';
    }
    elseif( realpath(in_Array( $_GETї'page'], $sections )) == false ) {
        $_GETї'page'] = 'error';
    }
    include($sectionFolder.$_GETї'page'].'.php');
}
what do you think? i mean about security issue

thanks
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Security wise it seems ok.. But i think it's a bit useless to read the complete directory contents every time..

Here is how i would do it (untested)

Code: Select all

$sectionFolder = 'sections/';
$page = 'main';

if (isset($_GET['page']))
{
  $sectpath = realpath($sectionFolder);
  $filepath = realpath($_GET['page'] . '.php');

  if (is_readable($filepath) && $filepath == $sectpath . '/' . $_GET['page'] . '.php')
  {
    $page = $_GET['page'];
  }
}
include($filepath);
User avatar
thomas777neo
Forum Contributor
Posts: 214
Joined: Mon Mar 10, 2003 6:12 am
Location: Johannesburg,South Africa

Post by thomas777neo »

Can't you just set your include_path aswell?
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

I can't understand why you would be using a query string for this. You should just use a straight URL
Post Reply