can I use this code twice on one page?

[cloudll]

I have a div on my site that is hidden on desktop then comes visable on mobile devices. Ideally I want to use the following code to include my content in both my normal content div, and my mobile div, and just have one showing at a time.

If I try to use it twice in my index.php page, the include default works but when I try to access a page it halts any content from loading.

Is there a way I can use this code twice in one page?

 <?php

    if (isset($_GET['nav'])) 
{
    if (strpos($_GET['nav'], "/")) 
{
    $direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
    $file = substr(strrchr($_GET['nav'], "/"), 1);
    if (file_exists($direc.$file.".php")) 
{
    include($direc.$file.".php");
} else {
    include("error.php");
}
} else {
    if (file_exists(basename($_GET['nav']).".php")) 
{
    include(basename($_GET['nav']).".php");
} else {
    include("error.php");
}
}
} else {
    include("default.php");
}
?>

Thanks

[Destramic]

replace

strpos($_GET['nav'], "/")

with

strstr($_GET['nav'], '/')

tried to tidy it up also, you may want to use require_once

if (isset($_GET['nav'])) 
{
	$nav = $_GET['nav'];
	
	if (strstr($nav, '/'))
	{
	    $directory = substr(str_replace('..', '', $nav), 0, strpos($nav, "/")) . "/";
	    $file       = substr(strrchr($nav, "/"), 1);
	    
	    if (file_exists($directory . $file . ".php")) 
		{
	    	require_once($directory . $file . ".php");
		} 
		else 
		{
	    	require_once("error.php");
		}
	} 
	else 
	{
	    if (file_exists(basename($nav) . ".php"))
		{
	    	require_once (basename($nav).".php");
		} 
		else 
		{
	    	require_one("error.php");
		}
	}
} 
else
{
   require_once ("default.php");
}

personally i'd probably use something like this

switch ($_GET['nav'])
{
	case 'news';
		$page = 'news.php'; // ?nav=news
	break;
	
	default:
		$page = 'error.php';
	break;
}

require_once $page;

hope this helps

Edited August 30, 2016 by Destramic

[cloudll]

Thanks for the help. I have never used switch/case/break before.

 

So would I need to name a new case for everypage I wanted to include?

[Jacques1]

The code is vulnerable to file inclusion attacks: The page

......../path/to/malware

is mapped to the path

/path/to/malware.php

If your server configuration allows remote includes, it's also possible to inject arbitrary code from other servers.

 

Accepting user-provided paths should be avoided at all costs:

• Whenever possible, the user should only be able to choose from a predefined whitelist of possible paths (like in Destramic's switch statement).
• If you absolutely must have dynamic paths, then validate the input against a small whitelist of allowed characters (e. g. a-zA-Z0-9_). Reject wrong input, don't try to fix it, because this often goes wrong. Either you've overlooked something, or PHP itself chokes on the input (not long ago, a path could be truncated simply by inserting a NUL character).

Instead of the switch statement, you could also use an associative array to map page names to scripts:

<?php

// mapping of page names to scripts; this also acts as a whitelist of allowed scripts
const PAGES = [
    'about' => 'about.php',
    'contact_us' => 'contact_us',
];



if (isset($_GET['nav']))
{
    if (array_key_exists($_GET['nav'], PAGES))
    {
        require __DIR__.'/'.PAGES[$_GET['nav']];
    }
    else
    {
        require __DIR__.'/error.php';
    }
}
else
{
    require __DIR__.'/default.php';
}

However, none of this will solve your original problem. If you want help with that, you'll need to be more specific. Do you execute the code twice on the server and then literally hide one of the two page sections? Then the error might be caused by naming collisions due to the double inclusions. This would be a bad approach in general, because rendering and sending the exact content is obviously a waste of resources.

 

Check the error log for the exact message and provide the surrounding code so that we can see the context.