[SOLVED] Using a variable with include

[mynameisham]

I'm trying to build a template site of sorts that will open it's different links with an include in the middle div. I've been trying for days to get it to work, and I can't find any help online about my particular situation. Here's a sample of the code I'm trying to use:

 

<div id="header"><a href="index.php?page=random">Random Link</a><a href="index.php?page=better">Better Link</a>

</div>

<div id="main">

<?php @ include ("$page.htm"); ?>

</div>

<div id="footer">

</div>

 

I know it's a problem that when it tries to load the page initially, it won't have any value for the variable and will just kill the process. But if I hardcode a value in for the variable, naturally the links still wouldn't work. Can anyone tell me what I'm doing wrong?

[KrisNz]

You need to retrieve the value of page from the $_GET array.

 

e.g

 

<?php

//create a default value
$page = "main";

if (isset($_GET['page']) and !empty($_GET['page'])) {

    $page = $_GET['page'];

}
?>

Note that the code I've shown is blindly trusting the user which you should never do. I could potentially open another website inside your one, depending on how php is configured. You'll need to do some appropriate checks of $page to make sure its value isn't malicious.

 

[mynameisham]

Thanks! I'll definitely try that when I get a chance. And I'm a complete newb to php, so what do you mean by making sure $page doesn't have a malicious value? It's on my own personal site, if that affects anything.

[PFMaBiSmAd]

Edit: mostly says what has already been posted, but by not checking what is in $page, a hacker can inject his php code and run it on your server through the include() function.

 

First of all, that code will only work when register globals are on (register globals have been eliminated in php6, so even if your code works now, it will need to be rewritten to get it to work under php6.) Use $page = $_GET['page'];

 

Secondly, to solve your problem, just test if $page is set (use the isset() function) before executing the include() statement.

 

Thirdly, if allow_url_fopen (php4) or allow_url_include (php5) are on, a hacker can enter a url to his site on the end of your url, and he can cause the include() function to read a page that outputs php code as content and take over your site.

 

ALL external data cannot be trusted and must be verified. You must test that the $page parameter only contains specific values that you expect before you use it in an include statement.

[KrisNz]

Something like

<?php

$page = "main";

if (isset($_GET['page']) and !empty($_GET['page'])) {

    $page = $_GET['page'];
    $page = preg_replace("/[^a-zA-Z0-9_\-]/","_",$page); //remove invalid characters

}

if (file_exists("/path/to/my/$page.htm")) { //check that the file lives on my server in the folder I expect it to

    include_once("/path/to/my/$page.htm");

} else {

    include_once("/path/to/my/404.htm"); //show a "page not found" 
}
?>

 

Basically I'm saying that when you're dealing with data that you don't have complete control over, it's good practice to check that said data is what you expect it to be.

[mynameisham]

Thanks KrisNz! I copied/pasted your code and then tweaked it a bit and now everything's working like a dream. Thanks so much for all you guys' help! Topic solved