Page 1 of 3
Geek Time! : PHP coding question.
Posted: Jul 22nd 2003, 2:37 pm
by fnordboy
DAMNIT, I hit the "edit" button instead of the "quote" button. Geez, I shouldn't answer topics in a hurry. Arrgh.
Sorry fnordboy! 
Sascha.
Posted: Jul 22nd 2003, 2:52 pm
by Natasha (candygirl)
LMNOP
Posted: Jul 22nd 2003, 3:45 pm
by mglenn
Sacsha is the resident PHP expert, so hopefully he spots this thread and can answer this for you. I know enough to read php but not to answer any serious questions... Java and Perl on the other hand
Posted: Jul 22nd 2003, 3:58 pm
by Sascha
You can do it that way, but a few suggestions:
Don't use the $show variable without prior checking. Someone could create a malicious URL like "other.php?page=../../allmypasswords"
If you have only small amounts of content consider putting it all into one file like this:
Code: Select all
file: reviews.php
<?php
switch ($_GET["page"]) {
case "main": echo "This is where your HTML content goes";
break;
case "somethingelse": echo "Alternative HTML content";
break;
case "externaldata": include "externalfile.html";
break;
default: echo "Error: don't know what to do";
}
?>
Or for the "other.php" file a little more complicated:
Code: Select all
<?php
switch ($_GET["page"]) {
case "main":
default:
echo "This is where your main HTML content goes";
break;
case "skins":
switch ($_GET["show"]) {
case "eve": echo "eve skin goes here";
break;
default: "You forgot to declare 'show'";
}
break;
}
?>
This will display the "main" content even if others.php is called without any request variables. And if "skins" is requested, it will display the requested html page (if available).
You could even compress this concept even more, using only one main index.php script which could be called like this:
index.php?section=others&subsection=skins&show=eve
But this is not very search engine friendly (they don't like variables in URL's)
Hope this helps
Posted: Jul 22nd 2003, 4:06 pm
by fnordboy
My Post Is Gone
Sab, thanks for the tips. I don't know how useful that is for me in the long wrong since I will eventually have a lot of data and what not that will be loading in those pages. Right now it would be fine, but down the road it will be a nuisance to do it the above way (i think).
Is there a way to easily secure the way I am doing it currently?
Posted: Jul 22nd 2003, 4:31 pm
by Natasha (candygirl)
I still stand by original answer: LMNOP.
Posted: Jul 22nd 2003, 4:35 pm
by fnordboy
candygirl wrote:I still stand by original answer: LMNOP.
LOL UR
Though I guess I should just RTFM
Posted: Jul 22nd 2003, 5:21 pm
by Sascha
fnordboy wrote:
Is there a way to easily secure the way I am doing it currently?
Yeah, in larger sites this will become very difficult to edit. That's usually the point where database-driven content management tools come in place (like here at mscl.com in the fanfiction section).
If you don't want to list each possible "to-be-included-file" by exact name in a php script, you have to clean the $_GET["page"] and $_GET["show"] strings from any potential "bad things".
The quick'n'dirty way would be to do some str_replace commands before using $page in an include command:
Code: Select all
$page = str_replace ('..','',$_GET["page"]);
$page = str_replace ('/','',$page);
$page = str_replace ('\','',$page);
$filename = $page . '.html':
if (file_exists($filename)) {
include ($filename);
}
To include subitems on pages (like different skins in the "others.php" script) you could instead do the following:
Code: Select all
if (isset ($_GET["page"]) and !isset($_GET["show"])) { // note the ! before the 2nd "isset"
$page = str_replace ('..','',$_GET["page"]);
$page = str_replace ('/','',$page);
$page = str_replace ('\','',$page);
$filename = $page . '.html';
if (file_exists($filename)) {
include ($filename);
}
}
if (isset($_GET["show"]) and isset($_GET["page"])) {
$page = str_replace ('..','',$_GET["page"]);
$page = str_replace ('/','',$page);
$page = str_replace ('\','',$page);
$show = str_replace ('..','',$_GET["show"]);
$show = str_replace ('/','',$show);
$show = str_replace ('\','',$show);
$filename = $page . '_' . $show . '.html';
if (file_exists($filename)) {
include ($filename);
}
}
For a request like others.php?page=skins&show=eve this would include the page 'skins_eve.html'. Of course this code could be cleaned up and optimized. And one could probably drop some of the str_replace commands in the second example because the filename will always have a '_' in it if $show is set.
But there are still holes. One could theoretically translate ".." in Unicode-characters etc...
Wow, I hit the correct button.
Posted: Jul 22nd 2003, 11:17 pm
by GaryEA
I have
no idea what you kids are talking about. Is this stuff similar to writing html code?
Gary
Posted: Jul 23rd 2003, 2:15 am
by Nostradamus
Yeah, I missed the original post too. It sounds interesting, so, uh, what is it?
Posted: Jul 23rd 2003, 2:34 am
by fnordboy
Nostradamus wrote:Yeah, I missed the original post too. It sounds interesting, so, uh, what is it?
Quick version: I am moving one of my sites to a new server and I coded the site in ASP originally. Now that I am moving onto a Linux box and some of my ASP scripts wont run correctly under APACHE::ASP I decided to recode it to PHP and at the same time build a *small* and *simple* content management system for the reviews section and an "other downloads" section. Sascha here killed that idea with his security concerns...so now I am debating where to go with it (though right now I did finish building the reviews section). I was working on other areas of the site tonight so I haven't had a chance to even try out some of his suggestions (but I will
)
Posted: Jul 23rd 2003, 3:20 am
by Nostradamus
<pretending to comprehend technobabble>
Well, that clears it up! Candygirl was right, you need the LMNOP. You might also want to recalculate the TSR quantum simulator for a WDG-5000 inversion scenario. And, if all else fails, ATM fix everything!
ATM!
Posted: Jul 23rd 2003, 4:13 am
by Sascha
Nostradamus wrote:
Well, that clears it up! Candygirl was right, you need the LMNOP.
Hm, I don't see how the
"Lake Merritt Neighbors Organized for Peace" could be of any help here.
Posted: Jul 23rd 2003, 5:14 am
by starbug
Posted: Jul 23rd 2003, 10:01 am
by Nothingman
Perhaps you just need more fuel for the flux capacitor, or maybe your matter, anitimatter injectors aren't calibrated correctly.
(I know, I'm not helping
)
