@inlcude functions

[eZe616]

Not sure if it is the right forum but, here goes:

 

I'm trying to build a website using the "include" function, here's the code:

 

<?php if ($page == "") { include "index.html"; } else { include "$page.html"; } ?>

 

Now the code seems to be right, but it won't work on my home comp server that I installed a few days ago...

 

I'm Using Apache 2.2.4, PHP 5.2 and MySQL, 5.0.27.

 

Can it be possible that the settings of the PHP wont make it work?

 

If so how can I maki it so that i works

[effigy]

I assume you're passing $page via GET, like so: index.php?page=something.html. Right? If so, you need to read about register_globals. Also, you need to run more checks against $page; malicious users can use ../ to access parent directories.

[eZe616]

Yes..tht's how I want to do it. tnx, the change makes it work now. How can I run more checks againts the $page then? I'm kinda new to php coding so help is appreciated.

 

Also when I try a modified version as :

 

<?
$default_page="news";
if (!$page) {
$page="$default_page.html";
} else {
$page="$page.html";
}
if (!@include("$page")) {
include("404.html");
}
?> 

 

It won't work at all

[effigy]

How can I run more checks againts the $page then?

 

You might want to make sure that the file exists.

You should also check for/remove any directory changes:

 

$page = preg_replace('%(?:\.\./)+%', '', $page);

 

It won't work at all

 

Specifically, what doesn't work? See Example 16.8.

[eZe616]

 

Specifically, what doesn't work? See Example 16.8.

 

It doesn't load the pages at all where it's supposed to load

 

[effigy]

Are you getting errors?

Are you getting the 404?

[TreeNode]

...

 

[eZe616]

Nope...No Errors, nothing..its just blank were the file is supposed to be included

 

This is my current code

 

<?
	$default_page="index";
	if (!$page) {
	$page="$default_page.txt";
	} else {
	$page="$page.txt";
	}
	if (!@include("$page")) {
	include("404.txt");
	}

?>  

 

and my links look likke this...

 

<a href="index.php?page=padu" >

 

and the files that are to be inluded are all .txt files

 

[effigy]

Try this:

 

<?php
error_reporting(E_ALL);
extract($_GET);

$page = isset($page) ? $page : 'index' ;

if (!(@include("$page.txt"))) {
	include '404.txt';
}
?>  

[eZe616]

 

Try this:

 

<?php
error_reporting(E_ALL);
extract($_GET);

$page = isset($page) ? $page : 'index' ;

if (!(@include("$page.txt"))) {
	include '404.txt';
}
?>  

 

Yes...Thank you, it works... Since I'm new to php, is it secure like you said in the first post

 

I assume you're passing $page via GET, like so: index.php?page=something.html. Right? If so, you need to read about register_globals. Also, you need to run more checks against $page; malicious users can use ../ to access parent directories.

 

[effigy]

This is better:

 

<?php
$page = $_GET['page'];
$page = ($page !== '') ? $page : 'index' ;
$page .= '.txt';
$page = preg_replace('%(?:\.\./)+%', '', $page);

if (!is_dir($page) && file_exists($page)) {
	if (!(@include($page))) {
		include '404.txt';
	}
}
else {
	echo 'File does not exist';
}
?>  

 

Update: Actually, making a list of valid pages is better.

[eZe616]

Ok...it does work...but when I load the page for the first time it doens't load the index page

 

[effigy]

Oops; use ($page != ''). Keep in mind that unless you add another validation check, the user can request any page they want, and if that text file exists, it will be included.

[eZe616]

Tnx...it's working perfectly now

 

I have one question I don't understand the

 

$page = preg_replace('%(?:\.\./)+%', '', $page);

 

line...What does that say/do?

 

I'm trying to understand the code instead of just copy pasting

[effigy]

../ means go up a directory in the path. This line removes any occurrences of these characters. The %'s are used as delimiters and the . is escaped because it is a metacharacter in regex. The (?: ) are non-capturing parentheses which group these characters together, and + indicates one or more. I recommend looking through the regex links in my signature.