using Function in the query string to call another PHP Page?

[Permutant]

Hello All,

 

I've just recently started working with PHP from being a .NET and JSP guy.  I have moved an application from a previous server to a new one with a newer version of PHP but with a fresh install.  Finally got MySQL up and running correctly and the application all works after some minor tweaks in the code.  Just one thing still perplexes me.

 

In my admin panel all the pages are referenced like this

index.php?function=addproduct

 

or

 

index.php?function=deleteproduct

 

now addproduct and deleteproduct are php pages that actually exist and there is no code in the index.php function to read the query parameter function and then redirect to the correct page.

 

my index.php simply looks like this.

<?php
session_save_path("C:\phpsessions\dyn\phpsessions");
session_start();

mysql_connect ('localhost','user','password');
mysql_select_db('dynamite_admin');

$query = mysql_query("SELECT * FROM authenticate WHERE username = '$user' AND password = '$pass'");
$number = mysql_num_rows ($query);

$logged = $_SESSION["logged"];
$user = $_SESSION["user"];
$pass = $_SESSION["pass"];
$session = $_SESSION["session"];

if ($logged != 1 && $number != 1 && $session = session_id()) {
require($_SERVER['DOCUMENT_ROOT'].'/admin/login.php');
}

else {
require($_SERVER['DOCUMENT_ROOT'].'/admin/logged.php');

}
?>

 

so is the use of Function a plug in or something else?  Can I make changes to index.php to support this method?  Searching for information on this was impossible.  Try typing "PHP Function Query" or any other permutation of that.

 

Thanks,

 

Darren

[discomatt]

You can grab the value of function in the query string by using the $_GET superglobal array.

 

$_GET['function']

 

if ( $_GET['function'] == 'addproduct' ) {
   require( 'addproduct.php' );
}

 

Avoid using code like this, as it can be easily exploited

 

require( $_GET['function'] );

 

Instead use this

 

$pages = array('addproduct', 'deleteproduct', 'editproduct');
if ( in_array($_GET['function'], $pages) ) {
    require( $_GET['function'].'.php' );
}

[cooldude832]

alternatively your  admin panel could have a class written for it and then it tries to execute the function via the $_GET parameter entered so you don't need to make 5000 pages

[Permutant]

Thanks discomatt and cooldude832.

 

I think I'll probably just change the page how discomatt suggested.  The reason I'm confused about this otherwise is that the page used to work before with a different server on an older version of PHP.  The pages were just referenced with index.php?function=addproduct and viola you would get the addproduct.php page.  I included the entire index.php.  So how is it doing this magic?  I thought it might have been some PHP specific thing, but I guess it was not.

 

Also there is no admin panel anymore.  This is a totally Co-Located Windows Server 2003.  Terminal Services is our admin panel now.  So cooldude832 I guess there is something I should look up?  Making a class that works kind of as a catch all?

 

Thanks,

 

Darren