SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Including a filename passed through URL, without error if its not there

    Hi again.

    For the main content part of my site, i will be using a GET to pull the filename to include from the URL.

    only problem is, if the user puts something like index.php?page=blablabla and that page doesnt exist, how can i get it to say "Page does not exist" or something, rather than it saying "Failed to include bla bla, and some other errors"?

    Am i going the navigation the correct way too? how would you do the navigation from a site?

    thanks for any idea's, Gareth

  2. #2
    always learning . . .
    Join Date
    Nov 2003
    Location
    UK
    Posts
    821
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look into file_exists.

    Not sure why your including files in this way though. If they click home why not go to home.php ? and so on.

  3. #3
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Say you had a url like this : index.php?page=home you could do something like this (not checked)

    PHP Code:
      
      $dir 
    'pathtofiles/'
      
    if(isset($_GET['page']))
      {
      
    $file $_GET['page'] . '.php';
        if (
    file_exists($dir.$file)) {
         
    // include
       
    } else {
         
    // include default
       
    }
     } 

  4. #4
    Non-Member coo_t2's Avatar
    Join Date
    Feb 2003
    Location
    Dog Street
    Posts
    1,819
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Also, you should always check the filename that you take from user input against a list of valid file names.

    Don't just try to include anything that's sent to from user input. Make sure it's something that SHOULD be included.

    example:

    PHP Code:
      $goodFilesArr = array('file1.txt''file2.txt');
      
      if (!
    in_array($_GET['filename'], $goodFilesArr) )
      {
          die(
    "No way buster!");
      } 

  5. #5
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by coo_t2
    Also, you should always check the filename that you take from user input against a list of valid file names.

    Don't just try to include anything that's sent to from user input. Make sure it's something that SHOULD be included.

    example:

    PHP Code:
       $goodFilesArr = array('file1.txt''file2.txt');
       
       if (!
    in_array($_GET['filename'], $goodFilesArr) )
       {
           die(
    "No way buster!");
       } 
    Ahhh....thats one I should remember!


  6. #6
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks guys the file_exists thing worked.

    Why must you check that the file is "allowed" to be included. If you have the correct checks in each file, such as user level, is logged in, etc.. what harm can it do to let them include the file in the main section, other than making it look bad for them?

    and to tjsaynor, i wanted to do it like this so it works like frames.. or is there a better/"normal" way to do this?

    thanks, Gareth

  7. #7
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would say the checking for allowed files is much better practice, even though I never thought of it. You just wouldnt want them playing with your url trying to get it to include files you dont want it to. Fair enough, those files may not even be there but to me it seems like a good idea to have the allowed files!

  8. #8
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can't think of one single good reason why anyone would use a query string to call any static or semi-static web page. If you must use some bizzare form of scripting that does require these unnecessary query strings maybe you should look into mod_rewrite.

    Query strings are to carry unique and unknown information from the client to the web server. By all means use them in your URLs if you want to impress the idiots, but if you want to impress the people who know better use them for their intended purpose.

  9. #9
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, im pretty new to PHP, and it seemed like a good idea at the time, and tbh i still cant see whats wrong with it. Im not trying to defend my way from you guys, because i know you know best.... but i cant see whats wrong with it.

    How would you go about sorting the navigation for a site like this:

    Edit:

    Looks like the diagram broke, its header at the top, nav down the left, main through middl and right side and footer on the bottom


    Cheers guys

  10. #10
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If it was me I would just have one template file and use smarty to fill it with whatever data you needed too. What exactly is it you are doing, that might help give us a better idea. If your way works then I dont really guess theres a big problem.

  11. #11
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its just a normal site from my counter strike clan(internet team), to help us organise cups.

    i just wanted to click on a link and it brings up the corrsponding page. such as click on "register" and it makes the url "index.php?p=register", then in the main section it brings up the register page for them to use.

    Like i said my way is probably wrong, but at least im up for learning the correct way!

  12. #12
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, why dont you make it directly link to the register page then? Instead of using the index.php like that. It will make for much nicer urls too!

  13. #13
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I cant see how i would do that. Im not using frames because ive read a few times they are bad unless they are REALLY nesisery, wich i dont think it is. So ive set the framework out using a table. The only way i can think of to get the page to show up in the "main" section, would be to use an include, and to do that i put the page it wants to include throught the URL :S

    thanks for all the help and suggestions you are giving,

    Gareth

  14. #14
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could have it how you are doing now but instead of having one file, you would have multiple files. Say....

    Index.php

    PHP Code:
     
     
    //include header
     
    include('header.php');
     
     
    //include nav
     
    include('nav.php');
     
     
    // include content
     
    include('content.php');
     
     
    //include footer
     
    include('footer.php'); 
    Register.php


    PHP Code:
      
      
    //include header
      
    include('header.php');
      
      
    //include nav
      
    include('nav.php');
      
      
    // include content
      
    include('registerform.php');
      
      
    //include footer
      
    include('footer.php'); 

  15. #15
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Lincolnshire, UK
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    AAh right i see what you mean

  16. #16
    Non-Member coo_t2's Avatar
    Join Date
    Feb 2003
    Location
    Dog Street
    Posts
    1,819
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    If you don't check file names that come from user input ($_GET, $_POST, $_COOKIE) you're inviting the bad guys to take over your server.

    Check this out:
    http://www.devx.com/webdev/Article/26691/0/page/3

    If I remember right there's actually a worm(written in Perl, I think) that effects PHP scripts that roams the web looking for vulnerable urls so it can inject its own nasty code via unchecked values passed to include()/require().

    There's an example of how it's done in that article I linked to above.

    --ed

  17. #17
    Non-Member coo_t2's Avatar
    Join Date
    Feb 2003
    Location
    Dog Street
    Posts
    1,819
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Somebody PM'd me asking for the name of that worm I mentioned and some good resources for PHP security.

    I found a link to the worm I was thinking about here:
    http://www.frsirt.com/exploits/20041...ncludeWorm.php

    Some good security resources:
    php.net/security

    This guy's a sitepoint member who has some
    good articles on security:
    http://shiflett.org/

    Other than that, just check out old reliable:
    http://www.google.com/search?q=php+security

    Don't go blindly believing what every article or poster that you find on google says, though. Try to find other sources to back it up.

  18. #18
    SitePoint Member
    Join Date
    Jun 2005
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have done something simular to what you're asking about in case you still want to go that way.
    The way I did it was something like this:

    PHP Code:
    if ( ereg('register'$_SERVER['REQUEST_URI'] ) )
    {
      include 
    'register.php';



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •