is it dangerouse? - the error or its okey?

[logicopinion]

hello, i am about to ask several quiestions about:

 

how is link like: ..../index.php?page=1&sector=2 made ?

 

i thought about this and did something like this:

 

<?php	
$p = &$_REQUEST['p'];
if (!file_exists("navigation/".$p.".php"))
{ include "main.php"; next;}
  else
{ if (isset($p) && $p!='main')	{ include "navigation/".$p.".php"; }
  else 
{ include "main.php";  }
}
?>

 

and as a rool it works fine..

but i found as i thought a hole in this way of building page:

 

now what is that..:  as you see all included files (which are filename.php) are kept in the FOLDER named NAVIGATION

 

and if someone will edit URL

 

http://somehostname.com/index.php?p=5 instead of this will type http://somehostname.com/navigation/filename.php the content of that page will be desplayed..

 

i checked such thing on several websites ... but none of them let me see that file (included on)

mybe i got wrong to use inclusion and desplaying pages dinamicaly?

 

or maybe there is no problem if someone can view that page outside of page ..... like

someurl.com/somefoldername/subfoldername/filename.php?

 

 

please give me some advice. thank you

[nogray]

You can add this to your .htaccess (in the public_html folder) to block direct access to the navigation folder

redirect /navigation/ http://www.my-domain-name/

[logicopinion]

o i see.. so other things in this code are corect and nothing dangerous is in it right?

 

 

thanks

[nogray]

of course you need test and make sure everything is safe. Also, make sure none of the files in the navigation folder display anything important. Finally, filter the input for "?" or illegal characters (like spaces, commans, etc...)

 

If someone wants to view the navigation links by themselves, I don't see the harm in that

[logicopinion]

filter the input for "?" or illegal characters (like spaces, commans, etc...)

 

 

what does that mean? could you give me some example please?

 

 

and additionaly i did something like this:

 

i wrote in .htaccess file this:

 

redirect /navigation/ http://firstschool.skola.dlf.ge/

redirect /styles/ http://firstschool.skola.dlf.ge/

redirect /files/ http://firstschool.skola.dlf.ge/

redirect /images/ http://firstschool.skola.dlf.ge/

redirect /includes/ http://firstschool.skola.dlf.ge/

 

and then when i opened page... there were no image/styles/and other things attached from that folders i made redirection. why?

 

 

 

[nogray]

Why did you redirect the styles and images folders? When you do the redirect, nothing will be accessible from the browser, so you shouldn't redirect the style, images, or any files that is used in the page.

 

to filter the input, you can do something like this (to filter anything that is not in a-zA-Z0-9_

 

$p = preg_replace('/\W/g', "", $p);

 

or

$p = str_replace(array("?"," ",",",";","."), "", $p);

Not tested

[logicopinion]

okey about htaccess its clear..

but about filtering

 

could you do me a favor and show me example with my code?

 

i am realy newbie in php and do not want to do something stuped.

 

thank you

[nogray]

$p = &$_REQUEST['p'];
$p = preg_replace('/\W/g', "", $p);

or

$p = &$_REQUEST['p'];
$p = str_replace(array("?"," ",",",";","."), "", $p);

Not tested

[logicopinion]

Warning: preg_replace() [function.preg-replace]: Unknown modifier 'g' in C:\xampp\htdocs\admin\index.php on line 37

 

why?

[rhodesa]

In preg_replace, g is assumed, so remove it.

[logicopinion]

and now its FILTERED?

[rhodesa]

Yup, after that code, $p will only contain alphanumeric characters.

[logicopinion]

Thanks a lot !