mynameisham Posted January 23, 2008 Share Posted January 23, 2008 I'm trying to build a template site of sorts that will open it's different links with an include in the middle div. I've been trying for days to get it to work, and I can't find any help online about my particular situation. Here's a sample of the code I'm trying to use: <div id="header"><a href="index.php?page=random">Random Link</a><a href="index.php?page=better">Better Link</a> </div> <div id="main"> <?php @ include ("$page.htm"); ?> </div> <div id="footer"> </div> I know it's a problem that when it tries to load the page initially, it won't have any value for the variable and will just kill the process. But if I hardcode a value in for the variable, naturally the links still wouldn't work. Can anyone tell me what I'm doing wrong? Quote Link to comment Share on other sites More sharing options...
KrisNz Posted January 23, 2008 Share Posted January 23, 2008 You need to retrieve the value of page from the $_GET array. e.g <?php //create a default value $page = "main"; if (isset($_GET['page']) and !empty($_GET['page'])) { $page = $_GET['page']; } ?> Note that the code I've shown is blindly trusting the user which you should never do. I could potentially open another website inside your one, depending on how php is configured. You'll need to do some appropriate checks of $page to make sure its value isn't malicious. Quote Link to comment Share on other sites More sharing options...
mynameisham Posted January 23, 2008 Author Share Posted January 23, 2008 Thanks! I'll definitely try that when I get a chance. And I'm a complete newb to php, so what do you mean by making sure $page doesn't have a malicious value? It's on my own personal site, if that affects anything. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 23, 2008 Share Posted January 23, 2008 Edit: mostly says what has already been posted, but by not checking what is in $page, a hacker can inject his php code and run it on your server through the include() function. First of all, that code will only work when register globals are on (register globals have been eliminated in php6, so even if your code works now, it will need to be rewritten to get it to work under php6.) Use $page = $_GET['page']; Secondly, to solve your problem, just test if $page is set (use the isset() function) before executing the include() statement. Thirdly, if allow_url_fopen (php4) or allow_url_include (php5) are on, a hacker can enter a url to his site on the end of your url, and he can cause the include() function to read a page that outputs php code as content and take over your site. ALL external data cannot be trusted and must be verified. You must test that the $page parameter only contains specific values that you expect before you use it in an include statement. Quote Link to comment Share on other sites More sharing options...
KrisNz Posted January 23, 2008 Share Posted January 23, 2008 Something like <?php $page = "main"; if (isset($_GET['page']) and !empty($_GET['page'])) { $page = $_GET['page']; $page = preg_replace("/[^a-zA-Z0-9_\-]/","_",$page); //remove invalid characters } if (file_exists("/path/to/my/$page.htm")) { //check that the file lives on my server in the folder I expect it to include_once("/path/to/my/$page.htm"); } else { include_once("/path/to/my/404.htm"); //show a "page not found" } ?> Basically I'm saying that when you're dealing with data that you don't have complete control over, it's good practice to check that said data is what you expect it to be. Quote Link to comment Share on other sites More sharing options...
mynameisham Posted January 24, 2008 Author Share Posted January 24, 2008 Thanks KrisNz! I copied/pasted your code and then tweaked it a bit and now everything's working like a dream. Thanks so much for all you guys' help! Topic solved Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.