Location & structure
Moderator: General Moderators
Location & structure
I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
The index page 'includes' the header, then the menu, then the main page referred by the location variable.
Can anyone give advantages or disadvantages for this or any other structure.
The index page 'includes' the header, then the menu, then the main page referred by the location variable.
Can anyone give advantages or disadvantages for this or any other structure.
Re: Location & structure
Very bad concept, never let user to pass filenames across HTTP requests.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Location & structure
Passing filenames across HTTP requests is fine, so long as they are properly checked before being ut to use.
Passing something: index.php?page=about-us.html
Can be easily validated using a whitelist array:
Passing something: index.php?page=about-us.html
Can be easily validated using a whitelist array:
Code: Select all
$whitelist = array('about-us.html');
if(in_array($_GET['page'], $whitelist)){
echo file_get_contents($_GET['page']);
}
else{
echo 'Page not found';
}Re: Location & structure
So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Location & structure
Yes, or if you clean the name and specify where it should be located that would be fine also:Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Code: Select all
if(file_exists('pages/' . basename($_GET['page'])){
include('pages/' . basename($_GET['page'])); // for PHP and HTML
} else {
echo 'Page not found';
}mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Re: Location & structure
I think is_file() is more safe.AbraCadaver wrote:Yes, or if you clean the name and specify where it should be located that would be fine also:Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.Code: Select all
if(file_exists('pages/' . basename($_GET['page'])){ include('pages/' . basename($_GET['page'])); // for PHP and HTML } else { echo 'Page not found'; }
Re: Location & structure
What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
Re: Location & structure
I think I get your point. At present I'd have to change all the redirection links. But I'm not sure how I'd do it any other way.josh wrote:What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
Coupled with that am I right to include the session set within the index or should each page refer to it individually.