Jump to content
Sign in to follow this  
dmallia

content script

Recommended Posts

I would like to do a script that includes content from pages according what the user chooses. Example If the users chooses Contact us from the menu I would like to have the index page displayed with the contact us content( www.website.com/index.php?page=contact-us ). I know it is done by GET requests but don't know how to do it or what is it called. Does anyone have a script or a tutorial on how to do it? Or at lest what is it called so I find a tutorial. Thanks before hand.

  • Like 1

Share this post


Link to post
Share on other sites

You can look into PHP includes: http://w3schools.com/php/php_includes.asp Usually, I remove all slashes from the $_GET data before using it in an include, so that a user can only access files from one particular folder.

Share this post


Link to post
Share on other sites

I don't want to do seperate pages using the include. I want to have an index.php than inside of it I include the content according what the user chose from the menu. I want a script that will be in the index.php file, that gets the information of the page the user chose from the menu and than includes it in the index.php file.

Share this post


Link to post
Share on other sites
Guest So Called

In general, and without the security features:

if (isset($_GET['page']) switch ($_GET['page']) { 	case 'contact-us':   include 'contact-us.php'; break; 	case 'something':	include 'something.php'; break; 	case 'or-other':	include 'or-other.php'; break;}

How about that? Is that what you want?

Share this post


Link to post
Share on other sites

Yes, precisely. Like I was saying, include can do that.Do I have to write out the code for you?

<?php include $_GET['filename']; ?>

In the most simplistic insecure manner.

Share this post


Link to post
Share on other sites

so i made this script and it seems to be working fine. index.php

<?phpecho '<a href="/index.php?page=news">News</a>';echo '<a href="/index.php?page=about">About Us</a>';if (empty($_GET['page']))  {   $inc = 'news.php';  }else  {   $page = $_GET['page'];   $inc = $page.'.php';   if (file_exists($inc))	{	 include $inc;	}   else	{	 $inc="news.php";	 include $inc;	}  }?>

about.php

<?phpecho '<p>About US</p>';?>

news.php

<?phpecho '<p>News</p>';?>

do you think it's secure? what do you think i can add to be more secure?

Edited by dmallia

Share this post


Link to post
Share on other sites

it is not secure now. anyone can now point to your any arbitary files to be included. including means user can choose which file to get excuted. eg "/index.php?page=/somedir/dir/news will include a file named news.php in /somedir/dir dont trust any kind of user input $_GET,$_POST,$_COOKIE and some $_SERVER variable.make sure your scripts do what is essentially and minimally need to do to get done the work. validate your user inputs as user must do what you intened to and which is needed to do the work.

Edited by birbal

Share this post


Link to post
Share on other sites

what's the best solution to secure it? should i only run the script if the page is a page that exists in the directory of the web? file_exists() or i store all the page names in an array and check if it exists in the array?

Share this post


Link to post
Share on other sites

The array would be the most secure, because that is basically a whitelist of allowed files, but it's the most cumbersome to update. You can use the basename function to remove any path from the filename so that you only have a single filename, add .php to the end of it, and check in a single directory for that file. That will at least restrict the includes to the directory of your choice, so the only thing you should store in that directory is files to include.

Share this post


Link to post
Share on other sites
Guest So Called

I would not provide any means for user input to reach the file name of an include file. Rather:

if (isset($_GET['page]) switch ($_GET['page']) { 	case 'news':	if (file_exists('news.php')) include 'news.php'; break; 	case 'about':	if (file_exists('about.php')) include 'about.php'; break; 	default:	// error processing or ignore other values}

In the above example the only two values that will include any file are 'news' and 'about'. It doesn't matter how much other stuff a hacker might insert in the 'page' value.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...