Results 1 to 7 of 7
  1. #1
    Join Date
    May 2004
    Location
    Ontario
    Posts
    24

    PHP Include problems tt

    Can anyone see what's wrong with this? I'm trying to make it take the 'x' out of www.xeima.com/index.php?site=x (or whatever the user types), search for that file with a .php extension in the public_html dir and include it.

    Code:
    <?php if(!$site){ $site == HTTP_GET_VARS['site'] };
    if {$site == ""} or {$site == "main"}
    include ("main.php")
    else {
    include ($site + ".php"); };
    ?>

  2. #2
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    do this:

    $_GET['site']

    instead of HTTP_GET_VARS['site']
    Peace,

  3. #3
    Join Date
    Aug 2003
    Location
    PA
    Posts
    110
    Instead of using HTTP_GET_VARS, use $_GET['site'].

    Should work for ya now!

    PHP Code:
    <?php 

    if(!$site)
        
    $site == $_GET['site'];

    if(
    $site == ""||$site == "main")
        include (
    "main.php");
    else
        include (
    $site ".php");

    ?>
    ...now that azizny jsut beat me to answering this one!

    Hope it helps.

  4. #4
    Join Date
    May 2004
    Location
    Singapore
    Posts
    262
    Actually, $HTTP_GET_VARS can be used on newer versions of PHP as well, for backwards compatibility.

    The problem was treating it as sort of a "constant array", i.e. leaving out the '$' symbol.

    But it still isnt correct, since PHP uses '.' for string concatenation, not '+'.
    Code:
    <?php
    if (isset($_GET['site']))
    	include $_GET['site'] . ".php";
    else
    	include "main.php";
    ?>
    Though this may work, it may also be insecure as the user can arbitrarily include any PHP page in your script.
    Some sort of input validation would be advisable.
    #include<cstdio>
    char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
    int main(){std::printf(s,10,34,s,34,10);}

  5. #5
    Join Date
    May 2004
    Location
    Ontario
    Posts
    24
    thanks laser thats exactly what i wanted

  6. #6
    Join Date
    Jul 2003
    Location
    NYC
    Posts
    245
    wouldn't this be more secure?
    PHP Code:
    if(empty($_SERVER['QUERY_STRING']))
    {
        include(
    "main.php");
    }
    elseif(isset(
    $_SERVER['QUERY_STRING']))
    {
        
    $query str_replace('../','',$_SERVER['QUERY_STRING']);
        
    $pos strpos($query,'&');
        if(
    is_int($pos))
        {
            
    $query substr($query,0,$pos);
        }
        if(
    file_exists("{$query}.php")) 
        {
            include(
    "{$query}.php");
        }
        else
        {
            echo 
    "<b FILE NOT FOUND! </b>";
            echo 
    $query;
        }

    this way you can call the file in this manner:
    file.php?page
    file.php?page2
    file.php?page3
    sounds cool?
    ---|| Avurt Inc. - ||---
    www.avurt.com
    Banners, Prints, Graphics, Web sites & Much more

  7. #7
    Join Date
    Aug 2003
    Location
    PA
    Posts
    110
    Hit the wrong button with the +

    The most secure thing to do has always been to use a regular expression to eliminate any and all unwanted special characters, then make a file check.

    For basic security, best thing is to is use htmlspecialchars and strip_tags together.

    Another thing to do in your included file is to check if it being typed in the browser window as that file.

    For instance, if you file is named file.php that you want included, you would, towards the top, make a logic check to see if that included file is being the request file. If so, it is a direct request, and the script ends in a bad call, or some statement about trying to enter that script(had some probs with this until I added those lines).

    My reply was just a basic change to the coding that was provided. The user only asked about getting the $_GET var, or else I woulda went off about security..hehehehee

    Later, oh, and remember, $_GET and $_POST variables are no more or less secure than the other...only $_POST allows for more variables, and more types of variables and data to be submitted and transmitted to the next page<<--extra little security tip..the moral, never be 'content'.

    Security information can be looked up at PHP.net for something more thorough. You can also look up the ereg functions at php.net as well for further study(regular expressions take time to learn adn get used to ).

    Bye

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •