Location & structure

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
Flycow
Forum Newbie
Posts: 9
Joined: Thu Jul 08, 2010 8:04 am

Location & structure

Post by Flycow »

I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php

The index page 'includes' the header, then the menu, then the main page referred by the location variable.

Can anyone give advantages or disadvantages for this or any other structure.
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Location & structure

Post by Technical »

Very bad concept, never let user to pass filenames across HTTP requests.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Location & structure

Post by alex.barylski »

Passing filenames across HTTP requests is fine, so long as they are properly checked before being ut to use.

Passing something: index.php?page=about-us.html

Can be easily validated using a whitelist array:

Code: Select all

$whitelist = array('about-us.html');
if(in_array($_GET['page'], $whitelist)){
  echo file_get_contents($_GET['page']);
}
else{
  echo 'Page not found';
}
Flycow
Forum Newbie
Posts: 9
Joined: Thu Jul 08, 2010 8:04 am

Re: Location & structure

Post by Flycow »

So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Location & structure

Post by AbraCadaver »

Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Yes, or if you clean the name and specify where it should be located that would be fine also:

Code: Select all

if(file_exists('pages/' . basename($_GET['page'])){
  include('pages/' . basename($_GET['page']));  // for PHP and HTML
} else {
  echo 'Page not found';
}
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
Technical
Forum Commoner
Posts: 81
Joined: Thu Dec 02, 2010 5:30 am

Re: Location & structure

Post by Technical »

AbraCadaver wrote:
Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Yes, or if you clean the name and specify where it should be located that would be fine also:

Code: Select all

if(file_exists('pages/' . basename($_GET['page'])){
  include('pages/' . basename($_GET['page']));  // for PHP and HTML
} else {
  echo 'Page not found';
}
I think is_file() is more safe.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Location & structure

Post by josh »

Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.
Flycow
Forum Newbie
Posts: 9
Joined: Thu Jul 08, 2010 8:04 am

Re: Location & structure

Post by Flycow »

josh wrote:
Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.
I think I get your point. At present I'd have to change all the redirection links. But I'm not sure how I'd do it any other way.

Coupled with that am I right to include the session set within the index or should each page refer to it individually.
Post Reply