Jump to content

[SOLVED] Safe Dynamic PHP Include ?

GravityFX

By GravityFX
in PHP Coding Help

 Share

Recommended Posts

GravityFX Newbie

GravityFX

Posted
Posted

Hello, I've bing using my php dynamic include code on my site. But I think its not safe, how can write safer and better code to replace this one:

 

<?php
   if(isset($_GET['p'])) {
       $file = $_GET['p'].".php";
   } elseif (isset($_GET['t'])) {
       $filename = $_GET['t'].".txt";
   } else {
       include_once("news.php");
   }

   if (file_exists($file)) {
       include_once($file);
   } elseif (file_exists($filename)) {
       echo '<font size=2><pre>';
       include_once($filename);
       echo '</pre></font>';
   } else {
       include_once("error.php");
   }
?>

 

Then all I due is <a href="?p=pagefile"> or text ;-) I hope someone can help me out. This is really important for me...

Link to comment
https://forums.phpfreaks.com/topic/64018-solved-safe-dynamic-php-include/
Share on other sites
teng84 Member

teng84

Posted
Posted 

i guess instead of passing the page to be include use the  process like 

if you want to edit then do something like
[ode]
?page=edit

switch($_GET['p']){
case 'edit':
    include 'edit.php';
break;
case 'delete':
    include 'delete';
  break;
default:
//
break; 
}

 

although this might seem almost the same i guess its better than what your trying to do in this case you dont need to test if file exist what ever happen it will fall in your default if the query string is wrong unlike in your code you have to ttest it one by one

GravityFX Newbie

GravityFX

Posted
  • Author
Posted

Thank You, teng84 That was exactly what I was looking for ;-) works like a charm. Here is modified code:

 

<?php switch($_GET['p']){
case 'test1':
	include 'test1.php';
	break;
case 'test2':
	include 'test2.php';
	break;
case 'test':
                echo '<font face=Courier New size=2><pre>';
	include 'pages/test.php';
                echo '</pre></font>';
	break;
default: 
	include 'main.php';
	break; 
} ?>

 

Now code works like I wan't, and I don't have that vulnerability any more =D

 

But I have another small problem =D I am using this code as include in html, and I can't seem to have "Courier New" font work right... Any ideas why? I need to show my txt files as different font then php files =D Also is there a dynamic way to add like for example:

 

php = tahoma font

txt = courier new font

html = ariel font

 

Thanks ;-)

teng84 Member

teng84

Posted
Posted

i guess all you have to do is create a css

like

 

#phpDIVIDHERESAPLE{

put the style

}

 

#htmlDIVIDHERESAPLE{

put the style

}

 

now on your form do it separately like if it in php then the id should start with php else html

 

sample

html file <div id=htmlDIVIDHERESAPLE>

php file <div id=phpDIVIDHERESAPLE>

 

i think something like that is easy and flexible

GravityFX Newbie

GravityFX

Posted
  • Author
Posted

Show it to me with this above code:

<?php switch($_GET['p']){
case 'test1':
	include 'test1.php';
	break;
case 'test2':
	include 'test2.php';
	break;
case 'test':
                echo '<font face=Courier New size=2><pre>';
	include 'pages/test.php';
                echo '</pre></font>';
	break;
default: 
	include 'main.php';
	break; 
} ?>

 

Sorry, I don't get it =)

teng84 Member

teng84

Posted
Posted

 

<?php 
if (isset($_GET['p'])){
switch($_GET['p']){
case 'test1':
	include 'test1.php';
	break;
case 'test2':
	include 'test2.php';
	break;
case 'test':
                echo '<font face=Courier New size=2><pre>';
	include 'pages/test.php';
                echo '</pre></font>';
	break;
default: 
	include 'main.php';
	break; 
}
}
else
{

//your stuff here 
}
?>

 

something like that

GravityFX Newbie

GravityFX

Posted
  • Author
Posted

OK, I figured this out ;-) Thanks. Here is a perfectly working switch code with error handler:

 

<?php 
if (isset($_GET['p'])){
switch($_GET['p']){
case 'test1':
	include 'test1.php';
	break;
case 'test2':
	include 'test2.php';
	break;
case 'test':
                echo '<font face=Courier New size=2><pre>';
	include 'pages/test.php';
                echo '</pre></font>';
	break;
default: 
	echo 'Error 404 - File Not Found!';
	break; 
}
} else {
    include 'news.php';
}
?>

 

I've added error hander to default switch and my default page to else =D Thanks, teng84 You've bing a big help !

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.