[Saldash]

Hi folks,

This is something i've been trying to get working on my site for a while but only got the oppertunity lately.
To get a general idea, im separating the logic of my site from the HTML content and using a single index.php file.

I'd like to use a system where the Index includes the appropriate html document based on the URL.. example:

http://www.my-site.com/index.php?page=home
(must include "includes/home.html" page)

I've tried using:

<?php echo 'includes/'.$page.'.html'; ?>
where $page is the value of ?page= in the URL just to test.
but nothing is being passed through... all i see is "includes/.html"

I would have gone straight into using:
<?php Include("includes/'.$page.'.html"); ?>

EDIT:: Ive have also tried using:
<?php include("includes/$page.html"); ?>

EDIT AGAIN:: Ive tried this and still nothing..

<?php
if ($page='') {
   $page = 'home';
   Include("includes/$page.html");
} Else {
   Include("includes/$page.html");
}
?>

But that hasnt worked either. =/
I get the following message Error:

Quote

[phpBB Debug] PHP Notice: in file /homepages/1/d248187167/htdocs/test.php on line 148: main(includes/.html) [function.main]: failed to open stream: No such file or directory
[phpBB Debug] PHP Notice: in file /homepages/1/d248187167/htdocs/test.php on line 148: main() [function.include]: Failed opening 'includes/.html' for inclusion (include_path='.:/usr/lib/php')

but evidently its not that simple.. does anyone have a solution that i can work from?

This post has been edited by Saldash: 20 January 2009 - 04:14 AM

[Kuggi]

Saldash, on 20 Jan, 2009 - 02:53 AM, said:

Hi folks,

This is something i've been trying to get working on my site for a while but only got the oppertunity lately.
To get a general idea, im separating the logic of my site from the HTML content and using a single index.php file.

I'd like to use a system where the Index includes the appropriate html document based on the URL.. example:

http://www.my-site.com/index.php?page=home
(must include "includes/home.html" page)

I've tried using:

<?php echo 'includes/'.$page.'.html'; ?>
where $page is the value of ?page= in the URL just to test.
but nothing is being passed through... all i see is "includes/.html"

I would have gone straight into using:
<?php Include("includes/'.$page.'.html"); ?>

EDIT:: Ive have also tried using:
<?php include("includes/$page.html"); ?>

But that hasnt worked either. =/

but evidently its not that simple.. does anyone have a solution that i can work from?

Try this:

Index.php:

<?PHP
	 if(!$_GET['page'])
	 {
		  include('includes/home.php');
	 }
	 else
	 {
		  switch($_GET['page'])
		  {
			   case 'page1':
					include('includes/page1.php');
			   break;
		  }
	 }
?>

We uses the $_GET to read the params of the url

[Saldash]

Thanks for that,

Would I have to write a case for every page I have?
Could I not simply just use $_GET to determine the page name..

like: (this also doesnt work btw)

<?PHP
	 if(!$_GET['page'])
	 {
		  include("includes/home.html");
	 }
	 else
	 {
		  include("includes/$_GET.html");
	 }
?>

[Saldash]

So far i can return the value of ?page=test
and display it using
echo $_GET['page'];

but however i use it with Include() i just get error after error..
How can i get "includes/" ?page=<page name> ".html"

I would like to get this working without entering every page i have into it if i can help it, because i will always be uploading new pages.

Thanks again,

[Saldash]

AHA!

You guys can close the topic now, I've sussed it out!

The code to get the page name from url string, add path and or extenstion is:

<?php include("includes/$_GET[page].html"); ?>

What a happy little mistype that one turned out to be..
Cheers people.. I wouldn't have known to use $_GET otherwise..

Thanks!

[rmccarter721]

Never trust your users input.. I would always validate the input..

Even if you set up a script to open the directory, pull all the file names, remove the .php from the end, and then stick them in an array, then check the array for the users input..

That still counts as valid validation..

If you give me a wee while i will make a script that does this..

This post has been edited by Furnfield: 20 January 2009 - 06:27 AM

[Kuggi]

Saldash, on 20 Jan, 2009 - 03:48 AM, said:

AHA!

You guys can close the topic now, I've sussed it out!

The code to get the page name from url string, add path and or extenstion is:

<?php include("includes/$_GET[page].html"); ?>

What a happy little mistype that one turned out to be..
Cheers people.. I wouldn't have known to use $_GET otherwise..

Thanks!

As Furnfield wrote:

NEVER TRUST YOUR USERS INPUT!

In your code.. i can go to your url and type:

www.yourdomain.com/?page=administration

and go to your admin pages... or i could enter some other input as XSS attacks and then your site is down

so.. always test userinput... fx. by using my code and enter a CASE for every site that you have, then the user can't see anything if he or she enter some random site name

[rmccarter721]

I know this is really sloppy coding, but you can edit it to suit your needs

<?php

/**
 * @author Furnfield
 * @email furnfield@googlemail.com
 * @copyright 2009
 * @project InCheck
**/

$input = htmlentities(stripslashes($_GET['page']));

$directory = 'includes/';

$dir = opendir ($directory); //Open the directory

$i='0'; //$i is used to create our array, set initial value to 0

while (false !== ($file = readdir($dir)))
{
	if($file != '.' && $file != '..') //Check conditions to do with file
	{

 $filename = substr($file, 0,strrpos($file,'.'));   

 
		
			$farray[$i] = $filename; //Select the image files and put them into an array
			$i++; // add 1 to $i
	}
}	 

if (in_array($input, $farray)) {
	include ($directory.$input.'.php');
}

else {
include 'default.php';
}

?>

Meaning as long as the file is there is opens it.. and it still counts in my book as validation

[Kuggi]

Furnfield, on 20 Jan, 2009 - 05:52 AM, said:

I know this is really sloppy coding, but you can edit it to suit your needs

<?php

/**
 * @author Furnfield
 * @email furnfield@googlemail.com
 * @copyright 2009
 * @project InCheck
**/

$input = htmlentities(stripslashes($_GET['page']));

$directory = 'includes/';

$dir = opendir ($directory); //Open the directory

$i='0'; //$i is used to create our array, set initial value to 0

while (false !== ($file = readdir($dir)))
{
	if($file != '.' && $file != '..') //Check conditions to do with file
	{

 $filename = substr($file, 0,strrpos($file,'.'));   

 
		
			$farray[$i] = $filename; //Select the image files and put them into an array
			$i++; // add 1 to $i
	}
}	 

if (in_array($input, $farray)) {
	include ($directory.$input.'.php');
}

else {
include 'default.php';
}

?>

Meaning as long as the file is there is opens it.. and it still counts in my book as validation

It IS validation, but now we can discus about how safe you want to be

[rmccarter721]

yea, i was just revising cold war history there, and realised that even though it is validating it, it still isn't as secure as using case statements...

Can anyone suggest a way to make it more secure?

[Kuggi]

Furnfield, on 20 Jan, 2009 - 06:16 AM, said:

yea, i was just revising cold war history there, and realised that even though it is validating it, it still isn't as secure as using case statements...

Can anyone suggest a way to make it more secure?

post a new forum topic about that

[Saldash]

Hi again guys, a huge thanks for the heads up on keeping my site safe..
but how can I prevent my site from being attacked and keep using this method of page include.

My website uses a variation of extended PHPbb sessions to authenticate users on my site.. as well as using a custom built login page that uses my PHPbb forum for authentication..

Would it simply be easier & safer not to do this ?page= ... thing then?
Should I just stick to using straight page.php links?

How secure is using case statements going to be against attacks?

[rmccarter721]

A LOT more secure than what I posted up for you.. I personally would never use that script..

I always either use a case statement, or use a database table, with all the valid pages etc.

[Saldash]

I have installed my personal modification of a 3rd party script known as CCount (http://www.phpjunkyard.com)

Using this I can change the full page URL into domain.com/click.php?id=1

Is that what you were refering to when you mention a database?
If I understand correctly, I can avoid (not negate altogether) the potential risk to my site substatially by using a case based page lookup by validating the users input?


Youll have to excuse me.. I might come accross as understanding even half of this but as the old saying goes "its all greek to me".

Many thanks

EDIT:: (I like editing it saves new posts...)

Just to clarify why I wanted to seperate my site into a single logic page and included content pages, was so that I could build a CMS feature into my VB.net site manager..
I would have been easier not to use validated inputs, so I could just upload my new content without editng pages source code.. but i see thats very risky.

I have a MySQL databse to hand, maybe I could use that?
Upload my page and then update the database aswell?

If thats the best solution, then someone is going to need to guide me alot there.. because I realy dont know PHP<->MySQL...

This post has been edited by Saldash: 20 January 2009 - 04:22 PM

[rmccarter721]

First of all the mysql table I use

CREATE TABLE `pages` (
  `id` int(6) NOT NULL auto_increment,
  `name` varchar(50) NOT NULL,
  `page` varchar(50) NOT NULL,
  `url` varchar(50) NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `name` (`name`,`page`),
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;

How to check page details etc.

$page=$_GET['page'];

if ($page == '')
	{
		$page = 'home';	
	}

$page_check = mysql_query("SELECT * FROM `pages` WHERE `url` = '".$page."'");
$page_num = mysql_num_rows($page_check);

if ($page_num != '1')

	{
		$page = 'notfound';

		
	}

How to get the page..

$page_Get = mysql_query("SELECT * FROM `pages` WHERE `url` = '".$page."'");
				while($include_page = mysql_fetch_array($page_Get))
				{
					include (''.$include_page['page'].'');
				}

This should work for you.. I had to edit it slightly because I had a few more things happening in the middle of it..


Essentially we make the table, and you insert the information

id
1

name
About Us

page
about_us.php

url
about_us

Then we check the user input in the table, if it isn't found we display the notfound.php page, or you could set to a default page..

then it includes it where needed