PHP code being ignored

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dmx21
Forum Newbie
Posts: 4
Joined: Sun Jun 10, 2007 5:20 pm

PHP code being ignored

Post by dmx21 »

I made a site for my old elementary school when I was designing and testing it I put it on my server. It worked fine. But when I put the site up on their server the PHP in the site no longer works. I don't know PHP really at all but here is the code that is giving me trouble:

Code: Select all

if($tab) {
	include('content/tab/'.$tab.'.php');
} else {
	include('content/tab/index.php');
}
and

Code: Select all

<li> <a href="?folder=index&tab=index"> Home  </a></li>
<li> <a href="?folder=sports&tab=sports">Sports </a></li>
So when you click on the link, it changes the content shown on the site. You can see what I want it to do here:
http://www.jacobswain.com/jonesboro
and you can see what the site is doing on the schools server here:
http://www.jonesboro.u102.k12.me.us/test/

Note that I know for a fact that PHP is supported by the school's server. Any help would be really appreciated I have played around with this for a while and have done a lot of web searches but haven't been able to solve my problem. Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It would appear your code relies on register_globals.

i.e. $tab :arrow: $_GET['tab'] .. also, look into using isset().

Never ever use user input without some filtration. Your script as is could allow a lot of bad things to happen.
dmx21
Forum Newbie
Posts: 4
Joined: Sun Jun 10, 2007 5:20 pm

Post by dmx21 »

So I should replace the $tab with $_GET['tab']? And I should do that everywhere that $tab is right now? Also what sort of bad things could happen with the code as it is now? Thanks.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

dmx21 wrote:Also what sort of bad things could happen with the code as it is now?
You mean apart from "it's not working on a server that has been configured with register_globals=off"? ;)
see http://de2.php.net/security.globals
dmx21
Forum Newbie
Posts: 4
Joined: Sun Jun 10, 2007 5:20 pm

Post by dmx21 »

So register_globals is turned off. I read the link that you sent me and tried a few more things, but I seem to be completely lost. This is really my first stab at PHP and what I am using right now another kid at school gave me, so I am really not all that comfortable with the language yet. But I felt like I should use this so that it would make it easier for the woman at my old elementary school to update. Thanks for your help so far, I think i am just missing something.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Basically, you don't want to look for $tab. $tab doesn't exist.

$_GET['tab'] does exist.

Code: Select all

if(isset($_GET['tab']))
{
    switch($_GET['tab'])
    {
        case 'index':
        case 'sports':
            include('content/tab/' . $_GET['tab'] . '.php');
            break;
        default:
            include('content/tab/index.php');
    }
}
else
{
    include('content/tab/index.php');
}
The switch statement ensures that people can't just type in a random URL and have your script attempt to load a file that doesn't exist.
dmx21
Forum Newbie
Posts: 4
Joined: Sun Jun 10, 2007 5:20 pm

Post by dmx21 »

Thank You so much!!! And I am sure that Jonesboro Elementary school thanks you to. Thanks to you guys those poor little kids get a working web site now :)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Wow.. Just from that? Sounds like a pretty hefty site you got there. :lol:
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Just FYI, using $_GET['tab'] everywhere is bad. There is absolutely no validation and not sanitization/filtration on that. What I would have done is left $tab where you had, and somewhere before that, had something like this:

Code: Select all

<?php
// Set the tab var from the querystring
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';

// Spend some time making sure the data that was 
// passed to the querystring is not going to take 
// down your server or compromise your users

/* ... doing that here ... */

// Now use it in the original context of the code.
?>
User avatar
guitarlvr
Forum Contributor
Posts: 245
Joined: Wed Mar 21, 2007 10:35 pm

Post by guitarlvr »

Everah wrote:

Code: Select all

<?php
// Set the tab var from the querystring
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';

// Spend some time making sure the data that was 
// passed to the querystring is not going to take 
// down your server or compromise your users

/* ... doing that here ... */

// Now use it in the original context of the code.
?>
@Everah: What does the ? $_GET['tab'] : " do in the above example? I've never seen that before.

Wayne
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

It is called the ternary operator and it is an alternative syntax to if/else"

Code: Select all

<?php
// This:
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';

// .. is functionally equivalent to 
if (isset($_GET['tab'])) {
  $tab = $_GET['tab'];
} else {
  $tab = '';
}
?>
User avatar
guitarlvr
Forum Contributor
Posts: 245
Joined: Wed Mar 21, 2007 10:35 pm

Post by guitarlvr »

I gotchya, Thanks for the clarification. :)

Wayne
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Just as a note, it is not something I recommend developers use unless it is a simple and easy to understand case. I tend to favor complete control structures versus short ones like that.
Post Reply