PHP: take URL query, and load appropriate file via includes

Discussion in 'OT Technology' started by biawokauns, Jul 15, 2004.

  1. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    I have the shell of a site, now I want to fill it with information. The layout of the site is in the index.php file, and the links are all like this:

    index.php?=about
    index.php?=info

    how, do I parse it so, when you click say about, I can use the PHP includes function to load inc.about.php into the main index.php frame?

    dose that make sense?
     
  2. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    $_GET['variable'];
     
  3. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    I tried the following, just to see if I could read the varible after the ?

    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <? 
    $_GET['variable'] = $direct
    ?>
    
    <title>Untitled Document</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    
    <body>
    <? print $direct ?>
    <p></p>
    <? echo  $direct ?>
    
    </body>
    </html>
    
    not workin..
    and I'm guessing once I do get it to work, i'd go

    Code:
    <? if $direct = ["about"] then;
    include($direct".php")
    else
    if $direct = ["info"] then;
    include($direct".php")
    ?>
    
     
  4. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    im stupid nm
     
  5. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    another ?

    is there a way so, if index.php?id= is blank (no var) I can set it to a default page?
     
  6. WERUreo

    WERUreo Imua!

    Joined:
    Oct 15, 2003
    Messages:
    566
    Likes Received:
    0
    Location:
    Daytona Beach, Florida
    Code:
    <?php
    if (!isset($_GET['variable']))
         $direct = "default";
    else
         $direct = $_GET['variable'];
    ?>
    
     
  7. WERUreo

    WERUreo Imua!

    Joined:
    Oct 15, 2003
    Messages:
    566
    Likes Received:
    0
    Location:
    Daytona Beach, Florida
    BTW, you wouldn't need to put those in if statements. Since you've already assigned $direct with the appropriate value, you can just say

    Code:
    <? include($direct . ".php"); ?>
    
     
  8. Astro

    Astro Code Monkey

    Joined:
    Mar 18, 2000
    Messages:
    2,047
    Likes Received:
    0
    Location:
    Cleveland Ohio
    PHP:
    Assuming $direct $_GET['variable'];
    include(
    $direct ".php");
    Please take a moment to look at this snippet of code.

    This code, as is, is uber-dangerous and leaves the web server you are on open to cross site scripting vulnerabilities. How?

    index.php?variable=about -- works fine
    index.php?variable=http://www.evilwebsite.com/index -- in this case will work too

    If you have the urge to do this, you MUST validate $_GET['variable'] to verify its one that is allowed to be used. I'd recommend using a switch statement, but the if statement will work just as well.
     
  9. WERUreo

    WERUreo Imua!

    Joined:
    Oct 15, 2003
    Messages:
    566
    Likes Received:
    0
    Location:
    Daytona Beach, Florida
    Good catch. I was kinda rushing that reply when I wrote it from work earlier. Didn't take that into account.
     
  10. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    Code:
    <?php
    require("inc.header.php");
    
    
    
    if (!isset($_GET['id']))
         $id = "main";
    else
         $id = $_GET['id'];
    
    	 
    if (!isset($_GET['language']))
    	$language = "english";
    else
    	$language = $_GET['language'];
    
    $parsed_url = "$language/inc.$id.php";
    $parused_url_footer = "$language/inc.footer.php";
    $parsed_url_menu = "$language/menu.swf";
    ?>
    
    i was thinking, if I use the switch statement, I'd have to validate every single variable, correct?
     
  11. Bono

    Bono Guest

    In the interest of security, this is how I'd encourage you to do it. Your code above could allow $_GET['language'] to be set to a remote url, like it was pointed out earlier.

    PHP:
    $acceptable_ids = array('main''otherpage1''otherpage2');

    $id in_array($_GET['id'], $acceptable_ids) ? $_GET['id'] : $acceptable_ids[0];
     
    Last edited by a moderator: Jul 19, 2004
  12. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    I was reading over the replies, and am wondering (since I have a ton of files I am including and it would take quite a while to list each var) is it possible to validate based on the URL, so it will only include local files? or am I stuck including each var? :o

    also, is it possible to simplify this code:

    PHP:
    if (!isset($_GET['id']))
         
    $id "main"
    else
         
    $id $_GET['id'];

         
    if (!isset(
    $_GET['language']))
        
    $language "english";
    else
        
    $language $_GET['language'];
        
     
    if (!isset(
    $_GET['menu']))
        
    $language "main";
    else
        
    $language $_GET['menu'];     
     
    Last edited: Jul 21, 2004
  13. tac

    tac (:-|)=|=

    Joined:
    Jan 3, 2001
    Messages:
    21
    Likes Received:
    0
    Location:
    vancouver
    try this:

    PHP:
    $id       =  isset($_GET['id'])       ? $_GET['id']       : "main";
    $language =  isset($_GET['language']) ? $_GET['language'] : "english";
    $menu     =  isset($_GET['menu'])     ? $_GET['menu']     : "main";

    it's basically a more compact way to do an if/else statement
     
  14. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    that didn't seem to work :o
     
  15. WERUreo

    WERUreo Imua!

    Joined:
    Oct 15, 2003
    Messages:
    566
    Likes Received:
    0
    Location:
    Daytona Beach, Florida
    For you, it should actually be:
    PHP:
    $id       =  (!isset($_GET['id']))       ? $_GET['id']       : "main";
    $language =  (!isset($_GET['language'])) ? $_GET['language'] : "english";
    $menu     =  (!isset($_GET['menu']))     ? $_GET['menu']     : "main";
    Remember, though, that this is what I had suggested before without thinking of the security hole. This won't validate the information coming from $_GET. Bono's suggestion looks good, and the way it's written, it is assuming that your default value is the first element in the $acceptable_ids array.
     

Share This Page