Page 1 of 1
PHP code being ignored
Posted: Sun Jun 10, 2007 5:29 pm
by dmx21
I made a site for my old elementary school when I was designing and testing it I put it on my server. It worked fine. But when I put the site up on their server the PHP in the site no longer works. I don't know PHP really at all but here is the code that is giving me trouble:
Code: Select all
if($tab) {
include('content/tab/'.$tab.'.php');
} else {
include('content/tab/index.php');
}
and
Code: Select all
<li> <a href="?folder=index&tab=index"> Home </a></li>
<li> <a href="?folder=sports&tab=sports">Sports </a></li>
So when you click on the link, it changes the content shown on the site. You can see what I want it to do here:
http://www.jacobswain.com/jonesboro
and you can see what the site is doing on the schools server here:
http://www.jonesboro.u102.k12.me.us/test/
Note that I know for a fact that PHP is supported by the school's server. Any help would be really appreciated I have played around with this for a while and have done a lot of web searches but haven't been able to solve my problem. Thanks
Posted: Sun Jun 10, 2007 6:02 pm
by feyd
It would appear your code relies on register_globals.
i.e. $tab

$_GET['tab'] .. also, look into using
isset().
Never ever use user input without some filtration. Your script as is could allow a lot of bad things to happen.
Posted: Sun Jun 10, 2007 6:27 pm
by dmx21
So I should replace the $tab with $_GET['tab']? And I should do that everywhere that $tab is right now? Also what sort of bad things could happen with the code as it is now? Thanks.
Posted: Sun Jun 10, 2007 6:38 pm
by volka
dmx21 wrote:Also what sort of bad things could happen with the code as it is now?
You mean apart from "it's not working on a server that has been configured with register_globals=off"?

see
http://de2.php.net/security.globals
Posted: Sun Jun 10, 2007 7:04 pm
by dmx21
So register_globals is turned off. I read the link that you sent me and tried a few more things, but I seem to be completely lost. This is really my first stab at PHP and what I am using right now another kid at school gave me, so I am really not all that comfortable with the language yet. But I felt like I should use this so that it would make it easier for the woman at my old elementary school to update. Thanks for your help so far, I think i am just missing something.
Posted: Mon Jun 11, 2007 8:32 am
by superdezign
Basically, you don't want to look for $tab. $tab doesn't exist.
$_GET['tab'] does exist.
Code: Select all
if(isset($_GET['tab']))
{
switch($_GET['tab'])
{
case 'index':
case 'sports':
include('content/tab/' . $_GET['tab'] . '.php');
break;
default:
include('content/tab/index.php');
}
}
else
{
include('content/tab/index.php');
}
The switch statement ensures that people can't just type in a random URL and have your script attempt to load a file that doesn't exist.
Posted: Mon Jun 11, 2007 9:51 am
by dmx21
Thank You so much!!! And I am sure that Jonesboro Elementary school thanks you to. Thanks to you guys those poor little kids get a working web site now

Posted: Mon Jun 11, 2007 10:47 am
by superdezign
Wow.. Just from that? Sounds like a pretty hefty site you got there.

Posted: Mon Jun 11, 2007 11:17 am
by RobertGonzalez
Just FYI, using $_GET['tab'] everywhere is bad. There is absolutely no validation and not sanitization/filtration on that. What I would have done is left $tab where you had, and somewhere before that, had something like this:
Code: Select all
<?php
// Set the tab var from the querystring
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';
// Spend some time making sure the data that was
// passed to the querystring is not going to take
// down your server or compromise your users
/* ... doing that here ... */
// Now use it in the original context of the code.
?>
Posted: Mon Jun 11, 2007 11:22 am
by guitarlvr
Everah wrote:Code: Select all
<?php
// Set the tab var from the querystring
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';
// Spend some time making sure the data that was
// passed to the querystring is not going to take
// down your server or compromise your users
/* ... doing that here ... */
// Now use it in the original context of the code.
?>
@Everah: What does the ? $_GET['tab'] : " do in the above example? I've never seen that before.
Wayne
Posted: Mon Jun 11, 2007 11:24 am
by RobertGonzalez
It is called the ternary operator and it is an alternative syntax to if/else"
Code: Select all
<?php
// This:
$tab = isset($_GET['tab']) ? $_GET['tab'] : '';
// .. is functionally equivalent to
if (isset($_GET['tab'])) {
$tab = $_GET['tab'];
} else {
$tab = '';
}
?>
Posted: Mon Jun 11, 2007 11:25 am
by guitarlvr
I gotchya, Thanks for the clarification.
Wayne
Posted: Mon Jun 11, 2007 11:27 am
by RobertGonzalez
Just as a note, it is not something I recommend developers use unless it is a simple and easy to understand case. I tend to favor complete control structures versus short ones like that.