dmallia Posted June 3, 2012 Share Posted June 3, 2012 I would like to do a script that includes content from pages according what the user chooses. Example If the users chooses Contact us from the menu I would like to have the index page displayed with the contact us content( www.website.com/index.php?page=contact-us ). I know it is done by GET requests but don't know how to do it or what is it called. Does anyone have a script or a tutorial on how to do it? Or at lest what is it called so I find a tutorial. Thanks before hand. 1 Link to comment Share on other sites More sharing options...
Ingolme Posted June 3, 2012 Share Posted June 3, 2012 You can look into PHP includes: http://w3schools.com/php/php_includes.asp Usually, I remove all slashes from the $_GET data before using it in an include, so that a user can only access files from one particular folder. Link to comment Share on other sites More sharing options...
dmallia Posted June 3, 2012 Author Share Posted June 3, 2012 I don't want to do seperate pages using the include. I want to have an index.php than inside of it I include the content according what the user chose from the menu. I want a script that will be in the index.php file, that gets the information of the page the user chose from the menu and than includes it in the index.php file. Link to comment Share on other sites More sharing options...
Guest So Called Posted June 3, 2012 Share Posted June 3, 2012 In general, and without the security features: if (isset($_GET['page']) switch ($_GET['page']) { case 'contact-us': include 'contact-us.php'; break; case 'something': include 'something.php'; break; case 'or-other': include 'or-other.php'; break;} How about that? Is that what you want? Link to comment Share on other sites More sharing options...
Ingolme Posted June 3, 2012 Share Posted June 3, 2012 Yes, precisely. Like I was saying, include can do that.Do I have to write out the code for you? <?php include $_GET['filename']; ?> In the most simplistic insecure manner. Link to comment Share on other sites More sharing options...
dmallia Posted June 5, 2012 Author Share Posted June 5, 2012 (edited) so i made this script and it seems to be working fine. index.php <?phpecho '<a href="/index.php?page=news">News</a>';echo '<a href="/index.php?page=about">About Us</a>';if (empty($_GET['page'])) { $inc = 'news.php'; }else { $page = $_GET['page']; $inc = $page.'.php'; if (file_exists($inc)) { include $inc; } else { $inc="news.php"; include $inc; } }?> about.php <?phpecho '<p>About US</p>';?> news.php <?phpecho '<p>News</p>';?> do you think it's secure? what do you think i can add to be more secure? Edited June 5, 2012 by dmallia Link to comment Share on other sites More sharing options...
birbal Posted June 5, 2012 Share Posted June 5, 2012 (edited) it is not secure now. anyone can now point to your any arbitary files to be included. including means user can choose which file to get excuted. eg "/index.php?page=/somedir/dir/news will include a file named news.php in /somedir/dir dont trust any kind of user input $_GET,$_POST,$_COOKIE and some $_SERVER variable.make sure your scripts do what is essentially and minimally need to do to get done the work. validate your user inputs as user must do what you intened to and which is needed to do the work. Edited June 5, 2012 by birbal Link to comment Share on other sites More sharing options...
dmallia Posted June 6, 2012 Author Share Posted June 6, 2012 what's the best solution to secure it? should i only run the script if the page is a page that exists in the directory of the web? file_exists() or i store all the page names in an array and check if it exists in the array? Link to comment Share on other sites More sharing options...
justsomeguy Posted June 6, 2012 Share Posted June 6, 2012 The array would be the most secure, because that is basically a whitelist of allowed files, but it's the most cumbersome to update. You can use the basename function to remove any path from the filename so that you only have a single filename, add .php to the end of it, and check in a single directory for that file. That will at least restrict the includes to the directory of your choice, so the only thing you should store in that directory is files to include. Link to comment Share on other sites More sharing options...
Guest So Called Posted June 6, 2012 Share Posted June 6, 2012 I would not provide any means for user input to reach the file name of an include file. Rather: if (isset($_GET['page]) switch ($_GET['page']) { case 'news': if (file_exists('news.php')) include 'news.php'; break; case 'about': if (file_exists('about.php')) include 'about.php'; break; default: // error processing or ignore other values} In the above example the only two values that will include any file are 'news' and 'about'. It doesn't matter how much other stuff a hacker might insert in the 'page' value. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now