Geek Time! : PHP coding question.

As the forum title implies: This is the forum for "anything else" which doesn't fit into one of the other forums.
User avatar
fnordboy
Ed Zwick Wannabe
Posts: 1954
Joined: Sep 25th 2002, 10:29 am
Location: Exit 16E, NJ
Contact:

Geek Time! : PHP coding question.

Post by fnordboy » Jul 22nd 2003, 2:37 pm

DAMNIT, I hit the "edit" button instead of the "quote" button. Geez, I shouldn't answer topics in a hurry. Arrgh.

Sorry fnordboy! :-( :-(

Sascha.

User avatar
Natasha (candygirl)
MSCL.com Team
MSCL.com Team
Posts: 5374
Joined: Dec 7th 2001, 3:05 am
Location: California

Post by Natasha (candygirl) » Jul 22nd 2003, 2:52 pm

LMNOP

:P
Natasha aka candygirl :: MSCL.com

Look, if this is weird for you, being tutored? I don't mind helping you a little longer.
You could have sex with me if you really want to help...I guess that's a "no"?

User avatar
mglenn
MSCL.com Team
MSCL.com Team
Posts: 552
Joined: May 25th 1999, 4:46 pm
Location: Butler, PA ( AKA: Three Rivers, PA )
Contact:

Post by mglenn » Jul 22nd 2003, 3:45 pm

Sacsha is the resident PHP expert, so hopefully he spots this thread and can answer this for you. I know enough to read php but not to answer any serious questions... Java and Perl on the other hand :D
"When I disagree with a rational man, I let reality be our final arbiter; if I am right, he will learn; if I am wrong, I will; one of us will win, but both will profit." - Ayn Rand

User avatar
Sascha (sab)
MSCL.com Team
MSCL.com Team
Posts: 1547
Joined: Jun 10th 1999, 5:20 pm
Location: Switzerland
Contact:

Post by Sascha (sab) » Jul 22nd 2003, 3:58 pm

You can do it that way, but a few suggestions:
Don't use the $show variable without prior checking. Someone could create a malicious URL like "other.php?page=../../allmypasswords"

If you have only small amounts of content consider putting it all into one file like this:

Code: Select all

file: reviews.php

<?php

switch ($_GET["page"]) { 
  case "main": echo "This is where your HTML content goes";
     break;
  case "somethingelse": echo "Alternative HTML content";
     break;
  case "externaldata": include "externalfile.html";
     break;
   default: echo "Error: don't know what to do";
}

?>

Or for the "other.php" file a little more complicated:

Code: Select all

<?php

switch ($_GET["page"]) { 
  case "main":
  default:
     echo "This is where your main HTML content goes";
     break;
  case "skins": 
      switch ($_GET["show"]) { 
         case "eve": echo "eve skin goes here";
             break;
         default: "You forgot to declare 'show'";
     }
    break;
}

?>

This will display the "main" content even if others.php is called without any request variables. And if "skins" is requested, it will display the requested html page (if available).

You could even compress this concept even more, using only one main index.php script which could be called like this:

index.php?section=others&subsection=skins&show=eve

But this is not very search engine friendly (they don't like variables in URL's)

Hope this helps :-)
Sascha A. Beck (sab) :: MSCL.com
www.mscl.com :: www.sablog.de

User avatar
fnordboy
Ed Zwick Wannabe
Posts: 1954
Joined: Sep 25th 2002, 10:29 am
Location: Exit 16E, NJ
Contact:

Post by fnordboy » Jul 22nd 2003, 4:06 pm

:sad2: My Post Is Gone :sad2: ;)

Sab, thanks for the tips. I don't know how useful that is for me in the long wrong since I will eventually have a lot of data and what not that will be loading in those pages. Right now it would be fine, but down the road it will be a nuisance to do it the above way (i think).

Is there a way to easily secure the way I am doing it currently?

User avatar
Natasha (candygirl)
MSCL.com Team
MSCL.com Team
Posts: 5374
Joined: Dec 7th 2001, 3:05 am
Location: California

Post by Natasha (candygirl) » Jul 22nd 2003, 4:31 pm

I still stand by original answer: LMNOP.

:lol:
Natasha aka candygirl :: MSCL.com

Look, if this is weird for you, being tutored? I don't mind helping you a little longer.
You could have sex with me if you really want to help...I guess that's a "no"?

User avatar
fnordboy
Ed Zwick Wannabe
Posts: 1954
Joined: Sep 25th 2002, 10:29 am
Location: Exit 16E, NJ
Contact:

Post by fnordboy » Jul 22nd 2003, 4:35 pm

candygirl wrote:I still stand by original answer: LMNOP.

:lol:
LOL UR :lol:

;)

Though I guess I should just RTFM :?

User avatar
Sascha (sab)
MSCL.com Team
MSCL.com Team
Posts: 1547
Joined: Jun 10th 1999, 5:20 pm
Location: Switzerland
Contact:

Post by Sascha (sab) » Jul 22nd 2003, 5:21 pm

fnordboy wrote: Is there a way to easily secure the way I am doing it currently?
Yeah, in larger sites this will become very difficult to edit. That's usually the point where database-driven content management tools come in place (like here at mscl.com in the fanfiction section).

If you don't want to list each possible "to-be-included-file" by exact name in a php script, you have to clean the $_GET["page"] and $_GET["show"] strings from any potential "bad things".

The quick'n'dirty way would be to do some str_replace commands before using $page in an include command:

Code: Select all

$page = str_replace ('..','',$_GET["page"]);
$page = str_replace ('/','',$page);
$page = str_replace ('\','',$page);

$filename = $page . '.html':
if (file_exists($filename)) {
     include ($filename);
}
To include subitems on pages (like different skins in the "others.php" script) you could instead do the following:

Code: Select all

if (isset ($_GET["page"]) and !isset($_GET["show"])) {    // note the ! before the 2nd "isset"
   $page = str_replace ('..','',$_GET["page"]);
   $page = str_replace ('/','',$page);
   $page = str_replace ('\','',$page);

   $filename = $page . '.html';
   if (file_exists($filename)) {
       include ($filename);
   }
} 

if (isset($_GET["show"]) and isset($_GET["page"])) {
   $page = str_replace ('..','',$_GET["page"]);
   $page = str_replace ('/','',$page);
   $page = str_replace ('\','',$page);

   $show = str_replace ('..','',$_GET["show"]);
   $show = str_replace ('/','',$show);
   $show = str_replace ('\','',$show);

   $filename = $page . '_' . $show . '.html';
   if (file_exists($filename)) {
       include ($filename);
   }
} 
For a request like others.php?page=skins&show=eve this would include the page 'skins_eve.html'. Of course this code could be cleaned up and optimized. And one could probably drop some of the str_replace commands in the second example because the filename will always have a '_' in it if $show is set.

But there are still holes. One could theoretically translate ".." in Unicode-characters etc...


Wow, I hit the correct button.

User avatar
GaryEA
So-Called Addict
Posts: 773
Joined: Oct 30th 2002, 6:45 pm
Location: Exit 15W, NJ
Contact:

Post by GaryEA » Jul 22nd 2003, 11:17 pm

:shock:

I have no idea what you kids are talking about. Is this stuff similar to writing html code?

Gary

User avatar
Nostradamus
Marshall Wannabe
Posts: 1213
Joined: Jun 29th 2002, 6:42 am
Location: No matter where you go, There you are.

Post by Nostradamus » Jul 23rd 2003, 2:15 am

Yeah, I missed the original post too. It sounds interesting, so, uh, what is it?

:)
I have never killed a man, but I have read many obituaries with great pleasure.
-- Clarence Darrow

I didn't attend the funeral, but I sent a nice letter saying I approved of it.
-- Mark Twain

User avatar
fnordboy
Ed Zwick Wannabe
Posts: 1954
Joined: Sep 25th 2002, 10:29 am
Location: Exit 16E, NJ
Contact:

Post by fnordboy » Jul 23rd 2003, 2:34 am

Nostradamus wrote:Yeah, I missed the original post too. It sounds interesting, so, uh, what is it?

:)
Quick version: I am moving one of my sites to a new server and I coded the site in ASP originally. Now that I am moving onto a Linux box and some of my ASP scripts wont run correctly under APACHE::ASP I decided to recode it to PHP and at the same time build a *small* and *simple* content management system for the reviews section and an "other downloads" section. Sascha here killed that idea with his security concerns...so now I am debating where to go with it (though right now I did finish building the reviews section). I was working on other areas of the site tonight so I haven't had a chance to even try out some of his suggestions (but I will :) )

User avatar
Nostradamus
Marshall Wannabe
Posts: 1213
Joined: Jun 29th 2002, 6:42 am
Location: No matter where you go, There you are.

Post by Nostradamus » Jul 23rd 2003, 3:20 am

<pretending to comprehend technobabble>

Well, that clears it up! Candygirl was right, you need the LMNOP. You might also want to recalculate the TSR quantum simulator for a WDG-5000 inversion scenario. And, if all else fails, ATM fix everything! ATM!

:wink:
I have never killed a man, but I have read many obituaries with great pleasure.
-- Clarence Darrow

I didn't attend the funeral, but I sent a nice letter saying I approved of it.
-- Mark Twain

User avatar
Sascha (sab)
MSCL.com Team
MSCL.com Team
Posts: 1547
Joined: Jun 10th 1999, 5:20 pm
Location: Switzerland
Contact:

Post by Sascha (sab) » Jul 23rd 2003, 4:13 am

Nostradamus wrote: Well, that clears it up! Candygirl was right, you need the LMNOP.
Hm, I don't see how the "Lake Merritt Neighbors Organized for Peace" could be of any help here. :wink:

User avatar
starbug
Lifehead
Posts: 1082
Joined: Jun 25th 2002, 4:51 am
Location: UK

Post by starbug » Jul 23rd 2003, 5:14 am

:microwave:

:D

---------------------------------------------
http://www.urban-hills.blogspot.com
---------------------------------------------

User avatar
Nothingman
Liberty High Graduate
Posts: 704
Joined: Feb 26th 2003, 3:39 pm
Location: Hockey Falls, USA
Contact:

Post by Nothingman » Jul 23rd 2003, 10:01 am

Perhaps you just need more fuel for the flux capacitor, or maybe your matter, anitimatter injectors aren't calibrated correctly.

(I know, I'm not helping :P )
"To come to your senses, you must first go out of your mind." - Alan Watts

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests