[SOLVED] Form error handling with include()

[jasc2k]

Hi all,

I am building a new website that uses the php include statment in a main index.php file to include the main pages content as below...

 

$content = $_GET['id'];
if(empty($content)){
    include("include/main.php");
}
else{
if (file_exists('include/' . $content . '.php')){
include('include/' . $content . '.php');
}
else{
include("include/404.php");
};
};

 

 

However I have now added in a form that uses an external file add.php to add users to a database when they signup using this form, but the error handler in this file populates an $error variable then an echo to display an error, but I dont want it to echo it onto a blank page so I tried the include statment but obviously this just includes my error.php on a new page. What I would like to do is to include that error.php within my main page index.php or just refresh the page with the error on it. Sorry for the complex explanation I hope you get what I mean! )

 

Site URL:

http://www.millautosupplies.co.uk/v3slider/index.php?id=signup

 

Thanks in advance

James

[mattal999]

I'm not sure what you're saying exactly, but your code is immediately vulnerable to inclusion.

 

Example: http://www.millautosupplies.co.uk/v3slider/index.php?id=../add

 

Might want to use cases instead of just including a value that anyone can tamper with...

 

Example of that:

 

<?php

// Get the relevant file and include it
$task = $_GET['task'];
switch ($task) {
  case "home":
    $task = "home";
    break;
  case "register":
    $task = "register";
    break;
  default:
    $task = "index";
    break;
}

// Include the content
include("include/".$task.".php");

?>

[jasc2k]

hi,

 

cheers for the reply, i was trying to get around typing out a case for every page but I now see the vunrability, I guess I better get typing, lol

 

I will try an explain beter:

I am using the index page as a header and then include any other pages within it using the previous code.

I also have a form page called signup.php. The form action is add.php and this file adds a user to a mysql database and if there are any errors its stored in a variable called $error

this file is basically this

if ($error == ""){
//then add user to database etc
else {
include("index.php");

I want it to include the signup.php with the errors on not the index page

but if i try to include("include/signup.php")

it appears but it not inside my index.php

my signup.php picks up the error using:

<?php echo "$error" ?>

 

so ideally I want to inclue("index.php?id=signup") but this errors as below:

Warning: include(index.php?id=signup) [function.include]: failed to open stream: No such file or directory in /web1/user3653/website/v3slider/add.php on line 163

 

Warning: include() [function.include]: Failed opening 'index.php?id=signup' for inclusion (include_path='.:') in /web1/user3653/website/v3slider/add.php on line 163

 

Any thoughts?

Cheers

[mattal999]

That's because you need to include this: ../signup

 

Your index is including files in "include/$filename.php", so at the moment, it is trying to include "include/signup.php", which should be "signup.php". By using ../, it navigates up one directory, back to where index.php is.

 

Let me know how it goes.

[jasc2k]

that sorted it. cheers all