Jump to content

error handling when requiring a page inside another which doesnt exist

louis_coetzee

By louis_coetzee
in PHP Coding Help

 Share

Recommended Posts

louis_coetzee Regular Member

louis_coetzee

Posted
Posted

Hi everyone,

 

I would like to know how I can customize the following error:

When I for example have a page called index.php inside I use require_once("menu.php")

Get this from my GET variable ex. id?=menu, how can I customize error instead of giving this: when page does not exist?

Warning: require(files/menu.php) [function.require]: failed to open stream: No such file or directory in C:\wamp\www\website\index.php on line 21

Fatal error: require() [function.require]: Failed opening required 'files/menu.php' (include_path='.;C:\php5\pear') in C:\wamp\www\website\index.php on line 21

to say: Page you have chosen does not exist.

 

Hope you will understand what I am trying to do.

trq Prolific Member

trq

Posted
Posted 

if (isset($_GET['id'])) {
  if (file_exists($_GET['id'] . '.php')) {
    require_once $_GET['id'] . '.php';
  } else {
    echo "Sorry the page you are looking for does not exist";
  }
}

 

Be aware however that this still poses a security issue on some configurations. Much safer to provide an array of valid file names. eg;

 

$valid = array('home','about','blog');
if (isset($_GET['id']) && in_array($_GET['id'], $valid)) {
  if (file_exists($_GET['id'] . '.php')) {
    require_once $_GET['id'] . '.php';
  } else {
    echo "Sorry the page you are looking for does not exist";
  }
}

printf Newbie

printf

Posted
Posted

You mean every page request you're going to do a file_exists(), that doesn't seem very smart. It's better to create a list of pages that exists within in the application and then place those in a switch() and throw an error if the $_GET['page'] is not in that list! The application should define the logic, not the incoming user data.

landavia Newbie

landavia

Posted
Posted

You mean every page request you're going to do a file_exists(), that doesn't seem very smart. It's better to create a list of pages that exists within in the application and then place those in a switch() and throw an error if the $_GET['page'] is not in that list! The application should define the logic, not the incoming user data.

but in my case

if the file_exits = false.. i give default id ^^ (main.php)

trq Prolific Member

trq

Posted
Posted

You mean every page request you're going to do a file_exists(), that doesn't seem very smart. It's better to create a list of pages that exists within in the application and then place those in a switch() and throw an error if the $_GET['page'] is not in that list! The application should define the logic, not the incoming user data.

 

Theres no need for any switches. The list is a good idea however (see my code above) as file_exists can return true when given a remote file (on some configurations).

 

Still, even with a list of valid pages file_exists hould be checked to prevent errors.

louis_coetzee Regular Member

louis_coetzee

Posted
  • Author
Posted

Can you please explain to me what types of security issues your talking about?

if (isset($_GET['id'])) {
  if (file_exists($_GET['id'] . '.php')) {
    require_once $_GET['id'] . '.php';
  } else {
    echo "Sorry the page you are looking for does not exist";
  }
}

 

Be aware however that this still poses a security issue on some configurations. Much safer to provide an array of valid file names. eg;

 

$valid = array('home','about','blog');
if (isset($_GET['id']) && in_array($_GET['id'], $valid)) {
  if (file_exists($_GET['id'] . '.php')) {
    require_once $_GET['id'] . '.php';
  } else {
    echo "Sorry the page you are looking for does not exist";
  }
}

RussellReal Member

RussellReal

Posted
Posted

file_exists returns TRUE or FALSE if the specified filename exists ornot..

 

NOW I think as of 4.6 or 5.0 file_exists now will return true or false for some urls

 

like

 

http://whatever.com/whatever.php

 

now.. if that exists on whatever.php then it will return  true, and then whatever code you have inside "whatever.php" that will be "included" into your page.

 

now if they have un-evaluated php inside of whatever.php then now they hacve control over your files

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.