Page 1 of 1
Location & structure
Posted: Mon Jan 10, 2011 7:48 am
by Flycow
I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
The index page 'includes' the header, then the menu, then the main page referred by the location variable.
Can anyone give advantages or disadvantages for this or any other structure.
Re: Location & structure
Posted: Mon Jan 10, 2011 8:17 am
by Technical
Very bad concept, never let user to pass filenames across HTTP requests.
Re: Location & structure
Posted: Mon Jan 10, 2011 1:57 pm
by alex.barylski
Passing filenames across HTTP requests is fine, so long as they are properly checked before being ut to use.
Passing something: index.php?page=about-us.html
Can be easily validated using a whitelist array:
Code: Select all
$whitelist = array('about-us.html');
if(in_array($_GET['page'], $whitelist)){
echo file_get_contents($_GET['page']);
}
else{
echo 'Page not found';
}
Re: Location & structure
Posted: Mon Jan 10, 2011 2:10 pm
by Flycow
So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Re: Location & structure
Posted: Mon Jan 10, 2011 2:16 pm
by AbraCadaver
Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Yes, or if you clean the name and specify where it should be located that would be fine also:
Code: Select all
if(file_exists('pages/' . basename($_GET['page'])){
include('pages/' . basename($_GET['page'])); // for PHP and HTML
} else {
echo 'Page not found';
}
Re: Location & structure
Posted: Mon Jan 10, 2011 2:31 pm
by Technical
AbraCadaver wrote:Flycow wrote:So if I understand right you're saying that I need to validate the results of the GET to ensure no harmful code is present.
Yes, or if you clean the name and specify where it should be located that would be fine also:
Code: Select all
if(file_exists('pages/' . basename($_GET['page'])){
include('pages/' . basename($_GET['page'])); // for PHP and HTML
} else {
echo 'Page not found';
}
I think is_file() is more safe.
Re: Location & structure
Posted: Mon Jan 10, 2011 8:45 pm
by josh
Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.
Re: Location & structure
Posted: Wed Jan 12, 2011 3:27 am
by Flycow
josh wrote:Flycow wrote:I am currently developing a website that uses the location header and get to refer the current page back to the index page I.e index.php?location=main.php
What if you want to get rid of the index.php part, or use a "pretty URL" like /main/, how much code are you going to have to modify under your current technique? I'd recommend a framework, it promotes better practices. There's a saying "there should be 1 place to make any given change". In your software, I'd have to change each page that issues a header redirect.
I think I get your point. At present I'd have to change all the redirection links. But I'm not sure how I'd do it any other way.
Coupled with that am I right to include the session set within the index or should each page refer to it individually.