Jump to content


Photo

grabbing pages with include()


  • Please log in to reply
9 replies to this topic

#1 draxxus

draxxus
  • Members
  • Pip
  • Newbie
  • 4 posts

Posted 20 September 2006 - 02:20 AM

Is it better to use switch cases like this:

URL = index.php?content=home

$content = $_GET['content'];
switch($content){
case "home":
include "home.php";
break;
}

or could i do like
URL = index.php?content=index.php

$content = $_GET['content'];
include ("$content");

Reason is I have a large menu with 40+ links and writing a bunch of switch cases will be long and tedious.

Just making sure.
Thanks!



#2 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 20 September 2006 - 04:40 AM

Is it better to use switch cases like this:

URL = index.php?content=home

$content = $_GET['content'];
switch($content){
case "home":
include "home.php";
break;
}

or could i do like
URL = index.php?content=index.php

$content = $_GET['content'];
include ("$content");

Reason is I have a large menu with 40+ links and writing a bunch of switch cases will be long and tedious.

Just making sure.
Thanks!



Be sure you use ABSOLUTE file references, because the above is a security nightmare!

If you insist on using this manner of routing (not even sure you can call this routing), I'd suggest option 1, just don't match 'content' with any filenames you have.

But if you want to avoid using 40 switches, I would suggest something like this:

include ($_SERVER['DOCUMENT_ROOT'].$content.'.php');

I can't recommend it, as it can lead to unwanted results like including a file you don't want included and thus is a potential security risk.


#3 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 21 September 2006 - 02:11 PM

Whitelist your pages. Whitelisting is the most secure method of validation.

#4 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 21 September 2006 - 06:14 PM

I would go for a list of modules (in an array), then load the file like this:

if($modules[$_GET['page']])
{
	include("includes/{$modules[$_GET['page']]");
}
else {
	include("includes/home.php");
}


#5 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 21 September 2006 - 08:43 PM

Whitelist your pages. Whitelisting is the most secure method of validation.

for the layman?
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#6 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 21 September 2006 - 08:49 PM

Whitelist your pages. Whitelisting is the most secure method of validation.

for the layman?


Whitelist === opposite of Blacklist  :P

#7 neylitalo

neylitalo
  • Staff Alumni
  • Advanced Member
  • 1,854 posts
  • LocationMichigan, USA

Posted 21 September 2006 - 10:11 PM

Whitelist your pages. Whitelisting is the most secure method of validation.

for the layman?


Instead of just
include($content.".php");
do something that'll keep a list of valid pages to include, and if the page requested isn't in that list, then throw an exception or throw a "you idiot" page at them.
http://nealylitalo.net - My personal website, and home of The Netizen's Journal.

#8 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 24 September 2006 - 06:37 PM

A whitelist, is like a guest list. If your name's not down, you're not getting in.

Only swap guests for pages..

<?php

$pages = array(
    'home',
    'register',
    'etc..'
);

if (in_array($_GET['page'], $pages)) {
    include realpath('/path/to/pages/' . $_GET['page'] . 'php');
} else {
    include realpath('/path/to/pages/default.php');
}

?>


#9 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 24 September 2006 - 06:41 PM

A whitelist, is like a guest list. If your name's not down, you're not getting in.

Only swap guests for pages..

<?php

$pages = array(
    'home',
    'register',
    'etc..'
);

if (in_array($_GET['page'], $pages)) {
    include realpath('/path/to/pages/' . $_GET['page'] . 'php');
} else {
    include realpath('/path/to/pages/default.php');
}

?>


Could be done simpler:
<?php
// input => file
$pages = array(
    'home' => 'home',
    'register' => 'register',
    'page1'	=> 'page2',
);

$page = empty($_GET['page']) ? "home" : strtolower($_GET['page']);
include "/path/to/pages/{$pages[$page]}.php";
?>


#10 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 24 September 2006 - 07:16 PM

Simpler != readable ;)

<?php

include (!empty($_GET['page']) && in_array($_GET['page'], array('home', 'register', 'login', 'logout', 'etc')) ? realpath('/path/to/pages/' . $_GET['page'] . 'php') : realpath('/path/to/pages/default.php'););


?>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users