Page 1 of 2
Variables == Difficult
Posted: Mon Sep 04, 2006 11:55 am
by danharibo
im trying to make a Dynamic page Using Txt Files and fopen. But its not going to good:
Code: Select all
if($page == '')
{
$page = "./index.txt";
}
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
Causes this:
Notice: Undefined variable: page in c:\program files\easyphp1-8\www\sufsite\index.php on line 15
im not sure How to fix it

Posted: Mon Sep 04, 2006 11:57 am
by timvw
Where is $page coming from??? In case you're reading an outdated manual, here's a hint:
http://us2.php.net/reserved.variables...
And you probably might want to check
http://www.php.net/isset,
http://www.php.net/empty, etc too...
Posted: Mon Sep 04, 2006 11:58 am
by danharibo
?page=news.txt ?
Posted: Mon Sep 04, 2006 12:04 pm
by RobertGonzalez
You need to set $page equal to something before you check if its value equals something OR you need to check if it
isset() or if it is
empty() (as timvw helpfully pointed out).
Posted: Mon Sep 04, 2006 12:09 pm
by AlecH
This looks like what you are looking for.
Code: Select all
$page = trim($_GET['page'];
if($page == '')
{
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
}
Posted: Mon Sep 04, 2006 12:13 pm
by timvw
AlecH wrote:This looks like what you are looking for.
Code: Select all
$page = trim($_GET['page'];
if($page == '')
{
$fp = fopen($page, 'r'); // Open Page .txt for reading from beginning
$read = fread($fp, '4000'); // Read from the file pointer
print($read);
}
But that results in a warning about an undefined variable when there is no page variable in the url... The following code on the other hand doesn't have that problem...
Another problem is that the use of this variable, without performing any checks on it, allows a malicious user to request any page he wants.. And as long as the webserver has read access to that file, he'll get to see the contents...
If you really want to do that, at least use
http://www.php.net/real_path to verify if the page comes from a place where it's allowed to request pages from
Anyway, i'm pretty sure the OP did not bother to carefully read the links i posted... So i'll stop bothering about his problems too..
Posted: Mon Sep 04, 2006 12:19 pm
by feyd
The code posted is a security hole waiting to be exploited. I would suggest implementing the "$_GET and includes" thread linked from Useful Posts if that route is desired.
Posted: Tue Sep 05, 2006 10:21 am
by danharibo
once i finish the script it will add '.txt' to the end, so how is it a Security hole? anway il just use empty/isset
Posted: Tue Sep 05, 2006 11:25 am
by danharibo

Neither:
Code: Select all
if(!isset($page))
{
$page = "./index.txt";
}
Or:
Code: Select all
if(empty($page))
{
$page = "./index.txt";
}
won't work. Take a peek:
*Removed*
Posted: Tue Sep 05, 2006 12:21 pm
by danharibo
Anybody? those 2 Just load index.txt regardlless
Posted: Tue Sep 05, 2006 12:42 pm
by timvw
danharibo wrote:
once i finish the script it will add '.txt' to the end, so how is it a Security hole? anway il just use empty/isset
I wonder why i still bother...
viewtopic.php?t=36850&postdays=0&postor ... ed2a0deafb why simply prepending something isn't safe...
Posted: Tue Sep 05, 2006 12:57 pm
by danharibo
ok, so:
Code: Select all
$RealPage = str_replace('../', '',$page);
]
Would be safer?
Posted: Tue Sep 05, 2006 1:09 pm
by n00b Saibot
why not use a key for each page you want to show? in such way you can be safe from any kind of path manipulation hacks..
Code: Select all
<?php
$page = $_GET['page'];
$pageList = array('home'=>'index.txt', 'news'=>'news.txt', /*...add here to your heart's content*/ );
$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];
/* continue with your jig */
?>
Posted: Tue Sep 05, 2006 1:14 pm
by danharibo
Parse error: parse error in c:\program files\easyphp1-8\www\sufsite\index.php on line 18
$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];

Posted: Tue Sep 05, 2006 1:38 pm
by n00b Saibot
eeeks my bad!!!
Code: Select all
$page = if(in_array($page, array_keys($pageList))) ? $pageList[$page] : $pageList['home'];
should be
Code: Select all
$page = in_array($page, array_keys($pageList)) ? $pageList[$page] : $pageList['home'];