newbie's question
Moderator: General Moderators
-
scorpio2002
- Forum Newbie
- Posts: 2
- Joined: Tue May 31, 2005 9:00 am
newbie's question
Hi there!
I'm new to php and I've recently learnt to use "include" to include a file in my php page. Now I'd like to be able to achieve more.
I'd like "include" to work with variables. For example... It I type " http://www.mypage.it/index?=credits.html " I'd like the include command to include the page credits.html.
If I'm not mistaken, the following site uses something like that: http://www.baslug.org/index.php
Is that possibile?
Thank you in advance.
Donato
p.s.: sorry for my English...
I'm new to php and I've recently learnt to use "include" to include a file in my php page. Now I'd like to be able to achieve more.
I'd like "include" to work with variables. For example... It I type " http://www.mypage.it/index?=credits.html " I'd like the include command to include the page credits.html.
If I'm not mistaken, the following site uses something like that: http://www.baslug.org/index.php
Is that possibile?
Thank you in advance.
Donato
p.s.: sorry for my English...
wrong forum. Use this instead:
http://example.com/?file=example.html
then,
http://example.com/?file=example.html
then,
Code: Select all
if (file_exists($_GET['file'])) include $_GET['file'];
else print("File not found.");- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
-
scorpio2002
- Forum Newbie
- Posts: 2
- Joined: Tue May 31, 2005 9:00 am
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
I tend to create an array of accepted pages.
And when calling a page I see whether or not it exists in the page.
If it exists, then the page call is valid, if not, redirect them somewhere else, such as a 404 page.
You should also make sure the page exists, just because thats common sense
Without doing this check, you could potentially load of php script from another server, and it could 1) bring down your site and possibly server 2) gather important information about your site
an example of this attack would be http://www.domain.com/?page=http://badd ... script.php
Code: Select all
$valid = array('home','news','forums');If it exists, then the page call is valid, if not, redirect them somewhere else, such as a 404 page.
You should also make sure the page exists, just because thats common sense
Code: Select all
//make sure $page has a value, if not assign it a default
$page = !empty($_GETї'page']) ? $_GETї'page'] : 'home';
if (in_array($page,$valid) && file_exists($page.'.php'))
{
include($page.'.php');
}
else
{
include('404.html');
}an example of this attack would be http://www.domain.com/?page=http://badd ... script.php
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- CoderGoblin
- DevNet Resident
- Posts: 1425
- Joined: Tue Mar 16, 2004 10:03 am
- Location: Aachen, Germany
I've found http://www.php.net/realpath to be very usefull to determine if the file is really in the wanted directory....