Jump to content

can I use this code twice on one page?


cloudll

Recommended Posts

I have a div on my site that is hidden on desktop then comes visable on mobile devices. Ideally I want to use the following code to include my content in both my normal content div, and my mobile div, and just have one showing at a time.

If I try to use it twice in my index.php page, the include default works but when I try to access a page it halts any content from loading.

Is there a way I can use this code twice in one page?

 <?php

    if (isset($_GET['nav'])) 
{
    if (strpos($_GET['nav'], "/")) 
{
    $direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
    $file = substr(strrchr($_GET['nav'], "/"), 1);
    if (file_exists($direc.$file.".php")) 
{
    include($direc.$file.".php");
} else {
    include("error.php");
}
} else {
    if (file_exists(basename($_GET['nav']).".php")) 
{
    include(basename($_GET['nav']).".php");
} else {
    include("error.php");
}
}
} else {
    include("default.php");
}
?>

Thanks

Link to comment
Share on other sites

replace

strpos($_GET['nav'], "/")

with

strstr($_GET['nav'], '/')

tried to tidy it up also, you may want to use require_once

if (isset($_GET['nav'])) 
{
	$nav = $_GET['nav'];
	
	if (strstr($nav, '/'))
	{
	    $directory = substr(str_replace('..', '', $nav), 0, strpos($nav, "/")) . "/";
	    $file       = substr(strrchr($nav, "/"), 1);
	    
	    if (file_exists($directory . $file . ".php")) 
		{
	    	require_once($directory . $file . ".php");
		} 
		else 
		{
	    	require_once("error.php");
		}
	} 
	else 
	{
	    if (file_exists(basename($nav) . ".php"))
		{
	    	require_once (basename($nav).".php");
		} 
		else 
		{
	    	require_one("error.php");
		}
	}
} 
else
{
   require_once ("default.php");
}

personally i'd probably use something like this

switch ($_GET['nav'])
{
	case 'news';
		$page = 'news.php'; // ?nav=news
	break;
	
	default:
		$page = 'error.php';
	break;
}

require_once $page;

hope this helps

Link to comment
Share on other sites

The code is vulnerable to file inclusion attacks: The page

......../path/to/malware

is mapped to the path

/path/to/malware.php

If your server configuration allows remote includes, it's also possible to inject arbitrary code from other servers.

 

Accepting user-provided paths should be avoided at all costs:

  • Whenever possible, the user should only be able to choose from a predefined whitelist of possible paths (like in Destramic's switch statement).
  • If you absolutely must have dynamic paths, then validate the input against a small whitelist of allowed characters (e. g. a-zA-Z0-9_). Reject wrong input, don't try to fix it, because this often goes wrong. Either you've overlooked something, or PHP itself chokes on the input (not long ago, a path could be truncated simply by inserting a NUL character).

Instead of the switch statement, you could also use an associative array to map page names to scripts:

<?php

// mapping of page names to scripts; this also acts as a whitelist of allowed scripts
const PAGES = [
    'about' => 'about.php',
    'contact_us' => 'contact_us',
];



if (isset($_GET['nav']))
{
    if (array_key_exists($_GET['nav'], PAGES))
    {
        require __DIR__.'/'.PAGES[$_GET['nav']];
    }
    else
    {
        require __DIR__.'/error.php';
    }
}
else
{
    require __DIR__.'/default.php';
}

However, none of this will solve your original problem. If you want help with that, you'll need to be more specific. Do you execute the code twice on the server and then literally hide one of the two page sections? Then the error might be caused by naming collisions due to the double inclusions. This would be a bad approach in general, because rendering and sending the exact content is obviously a waste of resources.

 

Check the error log for the exact message and provide the surrounding code so that we can see the context.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.