Need help FAST.

Kynetek · March 28, 2007

Ok. I know what I need is something simple, but I just can't remember exactly what the code for it is.

Basically I have a file, my .php file. But what I want to do is make an include that allows me to click a link and it'll include it into the main content table of the page...

All I can really remember is that the URL I used to use looked something like this:

http://http://free.hostultra.com/~kynetek/index2.php?id=News/News.html

If someone could help me i'd be godly greatful...

ted_chou12 · March 28, 2007

$page = $_GET['id'];
include("$page");

Ted

wildteen88 · March 28, 2007

$page = $_GET['id'];
include("$page");

Ted

That is extremely insecure!

I would do something like this:

if(isset($_GET['id']))
{
    $page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['id'];

    if(file_exists($page))
    {
        include "$page";
    }
    else
    {
        die($page . ' cannot be found!');
    }
}

That is much more secure.

neoform · March 28, 2007

That is extremely insecure!

I would do something like this:

if(isset($_GET['id']))
{
    $page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['id'];

    if(file_exists($page))
    {
        include "$page";
    }
    else
    {
        die($page . ' cannot be found!');
    }
}

That is much more secure.

errr.....

url.php?id=../../../somefile.php

You'd be far better off cleansing that variable prior to using it. eg. intval($_GET['id']) or at least stripping out any ".." from it.

poirot · March 28, 2007

You can use the built-in function basename() to strip the directories

http://www.php.net/basename

Sign In

Need help FAST.

Recommended Posts

Kynetek

Link to comment

Share on other sites

ted_chou12

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

neoform

Link to comment

Share on other sites

poirot

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information