* Just to let you know I wrote this a few years ago.

Have you ever wonderd how websites have that cool linking? or is there a simpler way than using iframes? Well with this tutorial I am going to show you all of those. You will be able to edit one file for your links, and all the rest of your templates.
The Code:



Now, if you know php farly well then you might as well skip this and have fun with your new script. But for those of you that dont quite have the knowledge please keep reading.

If you get an error you might need to add the fallowng line to the top of your script.

$action = $_GET['action'];

The nice thing about this script is that it makes sure that the file that is spesifed in the URL of your link exist on your server. This will make it harder for others to get into your site.

Basic linking for this script.

To use this script make your links on your site as fallows.

page.php?action=tutorials

Replace page with the name of the file the script is in.
Replace tutorials with the name of the file on your server.

Such as main.tutorials.php would be the name of the file included in the script.

Your might be askng why put the main. infront of the file? Well this is just how I organize my content. Main means the file is being used in the main section of the webpage. I might also have another set of files with the prefix of tutorial. which would be a file that contains a tutorial page.



What I just did was add line numbers so you can fallow what im saying easyer.

First we are going to start with line 1.


That is a tag for opening a php script there are some other ways as show below.





This is the directory to where your files are stored. This lets the rest of the script know where to look for the files.



An if statment looks to see if the condition is true or false so in this if statment it is loooking to see if $action is true or not NULL



In this part of code we are setting a varible to the name of the file we will end up including.



This is another if statment, but in this one we are checking to see if a file exists using the function file_exists();. If the file exists the statment will return true and contune the rest of the script. if the file does not exists the statment will return false and go to the else(line 013) part of the statment whtch we will be getting to later.



This part of the script includes the page we want. In the directory we specifide. You can go here to see a tutorial on include();


Now we are to the else part of the if statment above, as I promised. This part of the statment will be exicuted if the condition in the statment returns false.



This is part of the else in are if statment. When the statment returns false this will execute just like the one on line 011.



This closes the if statment so nothing below it will be part of any results of the condtion(so if it returns true or false it wont make a difference everything below will still execute).



You might be asking why there is another else in this script. Well this else is for the if statment on line 004. So if that statment returns false($action is NULL or another wise known as not set) It will execute another set of code.



This part of code is much like the others (the other includes that is). This one will include your main page. This is in here so when someone first comes to your site something will show besides an error.



This closes the first if statment.



This is the closing of the php script. You can use these to close as well. To mach the ones above I showed.

?>
</script>

Well thats it fokes there is my tutorial on advanced includes.

A good tutorial Beasty, but there are some things I'd like to point out.

The use of $action straight away in the code without initializing (called register globals) it means that it can come from anywhere (cookies, sessions, post, and get). While the use of $action here isn't used for anything authorizing a user, it's not to much of a problem in that security area. But it (register globals) is a behaviour that is being taken out of PHP all together. Since most servers turn off register globals by default anyway, it would be wise to just use "$action = $_GET['action'];" and save yourself the headache.

The problem however lies with the fact that there is no checking of what $action contains, because then since the user of the page can input anything. That is, they can supply a path that has multiple "../", allowing them to get to files you never intended them to open.

I not sure how ../ works. Last time I check it moves down one folder.

In the code I have above there is a line



This checks to the if the file exists. The $dir should make it so the file has to be in a directory that the page own wants to be viewed. Im not sure if maincontent/../main.something.php would work. And on top of that the person that is tring to get into the page would have to find a file that has the main. infont of it. The owner of the page should not have anyfile contain main. that they do not want shown. They could even personalize it to make it harder to get into. That way anyone accessing the site doesnt know the name of the file.

If I am wrong in this please tell me because I would like to know. It could save me alot of trouble down the road

Thanks

This post has been edited by Beasty: 23 May, 2006 - 04:04 PM

Interesting, after some simple testing it seems that using prefixes can stop path injection.

Anywho, my main point is that you should know where your data is coming from and what it is. Because if you know neither, you're open to attack!

So again, nice tutorial Beasty! And I for one am glad you're here at DIC!