Best method for including the current page?

[NaveAdair]

I have a few PHP files. Currently, if the URL contains page=var, index includes var.php, otherwise it includes home.php.

 

Apparently, this method makes the site easy to hack through Remote File Inclusion. Also, using PHP5 breaks this method entirely, as no matter what you set page to in the URL, it includes home.php.

 

What's the best way to do this without using the URL? Give example code if possible. I've used PHP for a while but haven't really gotten past the beginner level. I'd really appreciate any help.

 

Thanks.

[PFMaBiSmAd]

this method makes the site easy to hack through Remote File Inclusion

^^^ Only if you are not validating the external $_GET['page'] value AND the setting that permits a URL to be used as a source in an include statement is turned ON.

 

using PHP5 breaks this method entirely

^^^ Only if you are using outdated (~8 years ago) code.

 

If you want help with your code, you would need to post it.

[NaveAdair]

Thanks for replying. There's nothing to it, seriously.

 

I link to pages like:

<a href="http://www.website.com/?page=var

 

And index contains:

 

					<?php 
					if ($page != null)
						include $page.".php";
					else 
						include "home.php";
				?>

 

If you could tell me how to make it work in PHP5, and how to make it be secure, I'd greatly appreciate it.

[merylvingien]

Its always going to include "home.php" becuse you havent declared what $page is from the url.

 

[NaveAdair]

Its always going to include "home.php" becuse you havent declared what $page is from the url.

 

How would I declare what page is? Before updating to PHP5, it worked fine.

 

Also, how can I secure it so that external URLs can't be used?

[Pikachu2000]

Post your code. If it worked prior to PHP5, it probably relied on register_globals = On.

[NaveAdair]

Posted all the PHP on the page above. The rest of the page is just an HTML layout. But, even if I do fix the include, I need to make sure it's secure, too. Otherwise, I'm in the same position I was in (my page being insecure and open to remote file inclusion).

[wannabephpdude]

<?php
if(!empty($page)) {
  include($page.".php");
} else {
  include("home.php");
}
?>

 

If you wish to capture $GET vars be sure to clean them...

 

Here's a bit of my code I use to clean up strings:

// Clean all incoming strings
function clean($string) {
$k = trim($string);
$k = htmlspecialchars($string);
$k = mysql_real_escape_string($string);
return $k;
}

 

You will need to call the database before you can use => mysql_real_escape_string($string);

 

Good Luck

- tony

[Pikachu2000]

If you had bothered to read the thread, you'd have seen there is no database involved at all. Moreover, there's no need to use htmlspecialchars() to insert data into a database.

 

Anyhow, back to the topic.

 

If that's all of the PHP, then my suspicions were correct; the script relies on register_globals = On. You need to assign the value of $_GET['page'] to the $page variable.

 

if( isset($_GET['page']) ) {
     $page = $_get['page'];
}

 

As for protecting against remote file inclusion, there's a tutorial on the subject on the main part of the site HERE.

[NaveAdair]

If you had bothered to read the thread, you'd have seen there is no database involved at all. Moreover, there's no need to use htmlspecialchars() to insert data into a database.

 

Anyhow, back to the topic.

 

If that's all of the PHP, then my suspicions were correct; the script relies on register_globals = On. You need to assign the value of $_GET['page'] to the $page variable.

 

if( isset($_GET['page']) ) {
     $page = $_get['page'];
}

 

As for protecting against remote file inclusion, there's a tutorial on the subject on the main part of the site HERE.

 

Alright, cool. So, I've included the GET and put the rewrite into .htaccess. The includes work again, and I've test RFI by trying to include a few sites (like Google) to no avail. It seems that site it both working, and secure, and it was easier than I'd imagined. Thanks for your help.

[Pikachu2000]

You're quite welcome, glad I could help!