cloudll Posted August 30, 2016 Share Posted August 30, 2016 I have a div on my site that is hidden on desktop then comes visable on mobile devices. Ideally I want to use the following code to include my content in both my normal content div, and my mobile div, and just have one showing at a time.If I try to use it twice in my index.php page, the include default works but when I try to access a page it halts any content from loading.Is there a way I can use this code twice in one page? <?php if (isset($_GET['nav'])) { if (strpos($_GET['nav'], "/")) { $direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/"; $file = substr(strrchr($_GET['nav'], "/"), 1); if (file_exists($direc.$file.".php")) { include($direc.$file.".php"); } else { include("error.php"); } } else { if (file_exists(basename($_GET['nav']).".php")) { include(basename($_GET['nav']).".php"); } else { include("error.php"); } } } else { include("default.php"); } ?> Thanks Quote Link to comment Share on other sites More sharing options...
Destramic Posted August 30, 2016 Share Posted August 30, 2016 (edited) replace strpos($_GET['nav'], "/") with strstr($_GET['nav'], '/') tried to tidy it up also, you may want to use require_once if (isset($_GET['nav'])) { $nav = $_GET['nav']; if (strstr($nav, '/')) { $directory = substr(str_replace('..', '', $nav), 0, strpos($nav, "/")) . "/"; $file = substr(strrchr($nav, "/"), 1); if (file_exists($directory . $file . ".php")) { require_once($directory . $file . ".php"); } else { require_once("error.php"); } } else { if (file_exists(basename($nav) . ".php")) { require_once (basename($nav).".php"); } else { require_one("error.php"); } } } else { require_once ("default.php"); } personally i'd probably use something like this switch ($_GET['nav']) { case 'news'; $page = 'news.php'; // ?nav=news break; default: $page = 'error.php'; break; } require_once $page; hope this helps Edited August 30, 2016 by Destramic Quote Link to comment Share on other sites More sharing options...
cloudll Posted August 30, 2016 Author Share Posted August 30, 2016 Thanks for the help. I have never used switch/case/break before. So would I need to name a new case for everypage I wanted to include? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 31, 2016 Share Posted August 31, 2016 The code is vulnerable to file inclusion attacks: The page ......../path/to/malware is mapped to the path /path/to/malware.php If your server configuration allows remote includes, it's also possible to inject arbitrary code from other servers. Accepting user-provided paths should be avoided at all costs: Whenever possible, the user should only be able to choose from a predefined whitelist of possible paths (like in Destramic's switch statement). If you absolutely must have dynamic paths, then validate the input against a small whitelist of allowed characters (e. g. a-zA-Z0-9_). Reject wrong input, don't try to fix it, because this often goes wrong. Either you've overlooked something, or PHP itself chokes on the input (not long ago, a path could be truncated simply by inserting a NUL character). Instead of the switch statement, you could also use an associative array to map page names to scripts: <?php // mapping of page names to scripts; this also acts as a whitelist of allowed scripts const PAGES = [ 'about' => 'about.php', 'contact_us' => 'contact_us', ]; if (isset($_GET['nav'])) { if (array_key_exists($_GET['nav'], PAGES)) { require __DIR__.'/'.PAGES[$_GET['nav']]; } else { require __DIR__.'/error.php'; } } else { require __DIR__.'/default.php'; } However, none of this will solve your original problem. If you want help with that, you'll need to be more specific. Do you execute the code twice on the server and then literally hide one of the two page sections? Then the error might be caused by naming collisions due to the double inclusions. This would be a bad approach in general, because rendering and sending the exact content is obviously a waste of resources. Check the error log for the exact message and provide the surrounding code so that we can see the context. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.