Jump to content

content script


dmallia

Recommended Posts

I would like to do a script that includes content from pages according what the user chooses. Example If the users chooses Contact us from the menu I would like to have the index page displayed with the contact us content( www.website.com/index.php?page=contact-us ). I know it is done by GET requests but don't know how to do it or what is it called. Does anyone have a script or a tutorial on how to do it? Or at lest what is it called so I find a tutorial. Thanks before hand.

  • Like 1
Link to comment
Share on other sites

I don't want to do seperate pages using the include. I want to have an index.php than inside of it I include the content according what the user chose from the menu. I want a script that will be in the index.php file, that gets the information of the page the user chose from the menu and than includes it in the index.php file.

Link to comment
Share on other sites

Guest So Called

In general, and without the security features:

if (isset($_GET['page']) switch ($_GET['page']) { 	case 'contact-us':   include 'contact-us.php'; break; 	case 'something':	include 'something.php'; break; 	case 'or-other':	include 'or-other.php'; break;}

How about that? Is that what you want?

Link to comment
Share on other sites

Yes, precisely. Like I was saying, include can do that.Do I have to write out the code for you?

<?php include $_GET['filename']; ?>

In the most simplistic insecure manner.

Link to comment
Share on other sites

so i made this script and it seems to be working fine. index.php

<?phpecho '<a href="/index.php?page=news">News</a>';echo '<a href="/index.php?page=about">About Us</a>';if (empty($_GET['page']))  {   $inc = 'news.php';  }else  {   $page = $_GET['page'];   $inc = $page.'.php';   if (file_exists($inc))	{	 include $inc;	}   else	{	 $inc="news.php";	 include $inc;	}  }?>

about.php

<?phpecho '<p>About US</p>';?>

news.php

<?phpecho '<p>News</p>';?>

do you think it's secure? what do you think i can add to be more secure?

Edited by dmallia
Link to comment
Share on other sites

it is not secure now. anyone can now point to your any arbitary files to be included. including means user can choose which file to get excuted. eg "/index.php?page=/somedir/dir/news will include a file named news.php in /somedir/dir dont trust any kind of user input $_GET,$_POST,$_COOKIE and some $_SERVER variable.make sure your scripts do what is essentially and minimally need to do to get done the work. validate your user inputs as user must do what you intened to and which is needed to do the work.

Edited by birbal
Link to comment
Share on other sites

what's the best solution to secure it? should i only run the script if the page is a page that exists in the directory of the web? file_exists() or i store all the page names in an array and check if it exists in the array?

Link to comment
Share on other sites

The array would be the most secure, because that is basically a whitelist of allowed files, but it's the most cumbersome to update. You can use the basename function to remove any path from the filename so that you only have a single filename, add .php to the end of it, and check in a single directory for that file. That will at least restrict the includes to the directory of your choice, so the only thing you should store in that directory is files to include.

Link to comment
Share on other sites

Guest So Called

I would not provide any means for user input to reach the file name of an include file. Rather:

if (isset($_GET['page]) switch ($_GET['page']) { 	case 'news':	if (file_exists('news.php')) include 'news.php'; break; 	case 'about':	if (file_exists('about.php')) include 'about.php'; break; 	default:	// error processing or ignore other values}

In the above example the only two values that will include any file are 'news' and 'about'. It doesn't matter how much other stuff a hacker might insert in the 'page' value.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...