A simple include script problem!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

mrkite
Forum Contributor
Posts: 104
Joined: Tue Sep 11, 2007 4:19 am

Post by mrkite »

scottayy wrote:A much more elegant solution would use file_exists() on the include file. An even more elegant solution wouldn't pass the filename via $_GET, but instead perhaps a number which indicates a specific file.
file_exists would still be bad. It wouldn't prevent the bad guy from pulling htaccess files etc. The second idea is much better.. or at least a keyword.

Code: Select all

$pages=array('main'=>'blah/main.php', 'bio'=>'blah/bio.php', 'fred'=>'/home/fred/public_html/index.php');

if (isset($pages[$_GET['key']])) include $pages[$_GET['key']];
or something to that extent.
glav
Forum Newbie
Posts: 13
Joined: Sat Feb 25, 2006 1:54 pm

Post by glav »

Holly crap, I've a lot of work to do, mainly reading and understanding all the proposed methods. Thanks for all the help, it's great to be able to throw it out there and get a bit of feedback. I suppose the brightest thing would be to find an app that uses such includes and see what steps were took to secure it, or maybe it is such a security risk that no php developer worth a taught would use this method - it might just be a method that's never 100%. The only reason I'm playing with it is I have no time to develop a full site on my skills. I'll improve it over time and develop it from scratch eventually.

Thanks again.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Something to consider...
include_pages.php

Code: Select all

<?php
$include_pages = array(1 => 'Page1', 'Page2', 'Page3', 'Page4');
?>
index.php

Code: Select all

<?php
include 'include_pages.php';

echo '<ul>';
foreach ($include_pages as $k => $v) {
  echo '<li><a href="dynamic.php?page=' . $k . '">Click to go to ' . $v . '</a></li>';
}
echo '<ul>';
?>
dynamic.php

Code: Select all

<?php
include 'include_pages.php';

// Default page setting
$page = 1;

// See if the user requested something else
if (isset($_GET['page']) && is_numeric($_GET['page']) && array_key_exists($_GET['page'], $include_pages)) {
  $page = $_GET['page'];
}

include $include_pages[$page] . '.php';
?>
I am sure this could be secured more, but it is something to think about.
Last edited by RobertGonzalez on Wed Oct 10, 2007 1:08 pm, edited 1 time in total.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Just for a heads up. Your missing an include in `dynamic.php`.

Code: Select all

include 'include_pages.php';
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Oh crap, you're right. I'll be fixing that shortly.
Post Reply