Need help FAST.

[Kynetek]

Ok. I know what I need is something simple, but I just can't remember exactly what the code for it is.

 

Basically I have a file, my .php file. But what I want to do is make an include that allows me to click a link and it'll include it into the main content table of the page...

 

All I can really remember is that the URL I used to use looked something like this:

 

http://http://free.hostultra.com/~kynetek/index2.php?id=News/News.html

 

If someone could help me i'd be godly greatful...

[ted_chou12]

$page = $_GET['id'];
include("$page");

Ted

[wildteen88]

$page = $_GET['id'];
include("$page");

Ted

That is extremely insecure!

 

I would do something like this:

if(isset($_GET['id']))
{
    $page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['id'];

    if(file_exists($page))
    {
        include "$page";
    }
    else
    {
        die($page . ' cannot be found!');
    }
}

That is much more secure.

[neoform]

 

That is extremely insecure!

 

I would do something like this:

if(isset($_GET['id']))
{
    $page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['id'];

    if(file_exists($page))
    {
        include "$page";
    }
    else
    {
        die($page . ' cannot be found!');
    }
}

That is much more secure.

 

errr..... 

 

url.php?id=../../../somefile.php

 

You'd be far better off cleansing that variable prior to using it. eg. intval($_GET['id']) or at least stripping out any ".." from it.

 

 

[poirot]

You can use the built-in function basename() to strip the directories

http://www.php.net/basename