Page 1 of 1

Help with ?PageID=

Posted: Fri May 02, 2008 11:35 am
by Todlerone
Hello, everyone. Thank-you in advance for any help/suggestions to this post. I'm just curious if anyone knows of any good tutorials and/or books that help explain the use of page templating (not sure if this is the correct word for it). By this I mean, the use of header/footer includes with dynamic main page. I currently have implemented a header and footer include on my individual .php pages but like the idea of the "?PageID=". This technique seems to be at risk for code injection (what isn't, right?) but alot of the online quicky tutorials don't explain much about doing it correctly/safely. CHEERS. :D

Re: Help with ?PageID=

Posted: Fri May 02, 2008 11:48 am
by aceconcepts
In terms of security, maybe http://uk.php.net/urlencode will be of some interest.

Re: Help with ?PageID=

Posted: Fri May 02, 2008 11:56 am
by lafever
I don't know of any good tutorials but you can basically grab something from the URL by using the $_GET variable. Here is an example:

Code: Select all

 
$page = $_GET['id'];
 
switch ($page) {
     case 'home';
     default:
        include('home.php');
     break;
 
     case 'about';
        include('about.php');
     break;
 
     // and so on....
}
 
You will also have to take methods of securing the script from vulnerabilities. So if the URL is expected to be an integer you could use

Code: Select all

 
$page = (int)$_GET['id'];
 
Or if you are expecting only certain pages, such as home, about, contact

Code: Select all

 
$allowed_variables = array('home', 'about', 'contact');
$page = (in_array($_GET['id'], $allowed_variables) ? $_GET['id'] : 'home'); // this is saying that if the $_GET['id'] is not in the above array to set it default to 'home'
 

Basically the switch() function is what controls what page to include. You would simply include your header or footer above or below the switch. In this instance, using $_GET['id'] would make it

Code: Select all

 
page.php?id=
 
I hope this helps you get started.

Re: Help with ?PageID=

Posted: Fri May 02, 2008 12:35 pm
by Todlerone
Thank-you very much (both replies). Is this the common way of acheiving this?

Re: Help with ?PageID=

Posted: Fri May 02, 2008 1:22 pm
by Verminox
Yes, it's the common way. If you were lazy to hardcode each page entry or if you have a large number of pages you could try this:

Code: Select all

<?php
include_once 'header.php';
 
$file = $_GET['page'] . '.php';
if( $file != basename($file) || !file_exists('./pages/'.$file) )
{
    $file = 'index.php';
}
 
include './pages/' . $file;
 
include_once 'footer.php';
?>
However all your pages that you would like to include must be inside the 'pages' subdirectory. All sensitive files (which you dont want to be included) should be outside.
Checking with basename() will make sure that the filename doesn't try to wander around other directories (will catch characters like '/' and '.')

Disclaimer: I am not 100% sure of the security of this snippet though, don't use it unless some other more experienced users confirm that it is safe.