eZe616 Posted February 15, 2007 Share Posted February 15, 2007 Not sure if it is the right forum but, here goes: I'm trying to build a website using the "include" function, here's the code: <?php if ($page == "") { include "index.html"; } else { include "$page.html"; } ?> Now the code seems to be right, but it won't work on my home comp server that I installed a few days ago... I'm Using Apache 2.2.4, PHP 5.2 and MySQL, 5.0.27. Can it be possible that the settings of the PHP wont make it work? If so how can I maki it so that i works Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 I assume you're passing $page via GET, like so: index.php?page=something.html. Right? If so, you need to read about register_globals. Also, you need to run more checks against $page; malicious users can use ../ to access parent directories. Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Yes..tht's how I want to do it. tnx, the change makes it work now. How can I run more checks againts the $page then? I'm kinda new to php coding so help is appreciated. Also when I try a modified version as : <? $default_page="news"; if (!$page) { $page="$default_page.html"; } else { $page="$page.html"; } if (!@include("$page")) { include("404.html"); } ?> It won't work at all Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 How can I run more checks againts the $page then? You might want to make sure that the file exists. You should also check for/remove any directory changes: $page = preg_replace('%(?:\.\./)+%', '', $page); It won't work at all Specifically, what doesn't work? See Example 16.8. Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Specifically, what doesn't work? See Example 16.8. It doesn't load the pages at all where it's supposed to load Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 Are you getting errors? Are you getting the 404? Quote Link to comment Share on other sites More sharing options...
TreeNode Posted February 15, 2007 Share Posted February 15, 2007 ... Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Nope...No Errors, nothing..its just blank were the file is supposed to be included This is my current code <? $default_page="index"; if (!$page) { $page="$default_page.txt"; } else { $page="$page.txt"; } if (!@include("$page")) { include("404.txt"); } ?> and my links look likke this... <a href="index.php?page=padu" > and the files that are to be inluded are all .txt files Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 Try this: <?php error_reporting(E_ALL); extract($_GET); $page = isset($page) ? $page : 'index' ; if (!(@include("$page.txt"))) { include '404.txt'; } ?> Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Try this: <?php error_reporting(E_ALL); extract($_GET); $page = isset($page) ? $page : 'index' ; if (!(@include("$page.txt"))) { include '404.txt'; } ?> Yes...Thank you, it works... Since I'm new to php, is it secure like you said in the first post I assume you're passing $page via GET, like so: index.php?page=something.html. Right? If so, you need to read about register_globals. Also, you need to run more checks against $page; malicious users can use ../ to access parent directories. Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 This is better: <?php $page = $_GET['page']; $page = ($page !== '') ? $page : 'index' ; $page .= '.txt'; $page = preg_replace('%(?:\.\./)+%', '', $page); if (!is_dir($page) && file_exists($page)) { if (!(@include($page))) { include '404.txt'; } } else { echo 'File does not exist'; } ?> Update: Actually, making a list of valid pages is better. Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Ok...it does work...but when I load the page for the first time it doens't load the index page Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 Oops; use ($page != ''). Keep in mind that unless you add another validation check, the user can request any page they want, and if that text file exists, it will be included. Quote Link to comment Share on other sites More sharing options...
eZe616 Posted February 15, 2007 Author Share Posted February 15, 2007 Tnx...it's working perfectly now I have one question I don't understand the $page = preg_replace('%(?:\.\./)+%', '', $page); line...What does that say/do? I'm trying to understand the code instead of just copy pasting Quote Link to comment Share on other sites More sharing options...
effigy Posted February 15, 2007 Share Posted February 15, 2007 ../ means go up a directory in the path. This line removes any occurrences of these characters. The %'s are used as delimiters and the . is escaped because it is a metacharacter in regex. The (?: ) are non-capturing parentheses which group these characters together, and + indicates one or more. I recommend looking through the regex links in my signature. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.