denoteone Posted April 21, 2009 Share Posted April 21, 2009 I want to inlcude a .txt file based on a varibale passed in the url and if that variable is not set in the url then show the default include file. This is what I have so far but I am pretty sure that I am not checking if it is set properly. The links could look like so. http://www.mysite.com?page=project1 this would include the txt file named project1.txt or http://www.mysite.com //this would show the default <?PHP if($_GET['page'] isset){ $page = $_GET['page'] . '.txt'; include $page; }else{ include 'default.txt'; } ?> Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/ Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 I would do it like so: <?php if(isset($_GET['page'])){ $page = $_GET['page'] . '.txt'; }else{ $page = 'default.txt'; } $handle = fopen($page, 'r'); $contents = fread($handle, filesize($page)); echo $contents ?> Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815725 Share on other sites More sharing options...
denoteone Posted April 21, 2009 Author Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815729 Share on other sites More sharing options...
Seven_Rings Posted April 21, 2009 Share Posted April 21, 2009 The only thing you are doing wrong is the isset. Syntax is isset($var). This should be a working version of your code: <?php if(isset($_GET['page'])) { $page = $_GET['page'].'.txt'; include $page; } else { include 'default.txt'; } ?> Enjoy, -Seven_Rings Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815731 Share on other sites More sharing options...
PFMaBiSmAd Posted April 21, 2009 Share Posted April 21, 2009 To avoid raw php code inclusion from a remote hacker's site, if you are going to include a file this way, either validate that $_GET['page'] only has very specific values in it that match your pages or check if the file $_GET['page'].'.txt' exists on your web server, or make sure that allow_url_include is off (php5.2.0 and higher), or make sure that allow_url_fopen is off (before php5.2.0.) Without these checks, someone can visit your page using http://www.mysite.com?page=http://hackers_site/project1 where he has a file project1.txt on his site that contains raw php code that will then get included and executed on your server. Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815763 Share on other sites More sharing options...
Seven_Rings Posted April 21, 2009 Share Posted April 21, 2009 Very good advice PFMaBiSmAd. I was trying to be very straightforward, but I probably should have mentioned this. Thanks, -Seven_Rings Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815768 Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 you probably would want to place all the txt files in a folder, then make it the "Root" include folder... so anything above that folder can not be accessed... Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815769 Share on other sites More sharing options...
laffin Posted April 21, 2009 Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! I think the reason behind this, is because its not .php if it was .php, u can assum its html/php code in the file so include can process the code in the file fread/echo doesnt process the code. it just spits it out to the browser as is. and if its a php script, and ya name it .txt its a bad idea as than anyone can see the script, and look for ways of breaking the script I think u can replace the fread/echo with readfile instead Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815779 Share on other sites More sharing options...
The Little Guy Posted April 21, 2009 Share Posted April 21, 2009 Thanks Little Guy. Is there a reason behind not using "include" ? Hey love the avatar they make me smile too! I think the reason behind this, is because its not .php if it was .php, u can assum its html/php code in the file so include can process the code in the file fread/echo doesnt process the code. it just spits it out to the browser as is. and if its a php script, and ya name it .txt its a bad idea as than anyone can see the script, and look for ways of breaking the script I think u can replace the fread/echo with readfile instead In my opinion allowing users to choose a file and execute it is a little more dangerous with include/require... Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-815785 Share on other sites More sharing options...
denoteone Posted April 23, 2009 Author Share Posted April 23, 2009 [quote]To avoid raw php code inclusion from a remote hacker's site, if you are going to include a file this way, either validate that $_GET['page'] only has very specific values in it[/quote] So if all my text files that I am including will only have a file name of 4 characters would the following code test work? if(isset($_GET['page'])) { $pagecount = strlen($page); if($pagecount > 4){ this is not a valid file }else{ $page = $_GET['page'].'.txt'; include $page; }else { include 'default.txt'; } [/code] Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-817409 Share on other sites More sharing options...
jonsjava Posted April 23, 2009 Share Posted April 23, 2009 this is a safer way than your method. This way, they can only choose a page that you have allowed explicitly: <?php $allowed_pages = array("project1", "main", "project2", "project3"); if (isset($_GET['page']) && in_array($_GET['page'], $allowed_pages)){ $page = $_GET['page'].".txt"; } else{ $page = "main.txt"; } include($page); ?> Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-817428 Share on other sites More sharing options...
denoteone Posted April 23, 2009 Author Share Posted April 23, 2009 Thanks! jonsjava and everyone else! Link to comment https://forums.phpfreaks.com/topic/155084-solved-include-file-based-on-variable-in-url/#findComment-817467 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.