Episodes
- My So-Called Life (Pi... - #1 »
- Dancing in the Dark - #2 »
- Guns and Gossip - #3 »
- Father Figures - #4 »
- The Zit - #5 »
- The Substitute - #6 »
- Why Jordan Can't Read - #7 »
- Strangers in the Hous... - #8 »
- Halloween - #9 »
- Other People's Daught... - #10 »
- Life of Brian - #11 »
- Self-Esteem - #12 »
- Pressure - #13 »
- On the Wagon - #14 »
- So-Called Angels - #15 »
- Resolutions - #16 »
- Betrayal - #17 »
- Weekend - #18 »
- In Dreams Begin Respo... - #19 »
Cast
Forum
Geek Time! : PHP coding question.
Geek Time! : PHP coding question.DAMNIT, I hit the "edit" button instead of the "quote" button. Geez, I shouldn't answer topics in a hurry. Arrgh.
Sorry fnordboy! Sascha.
Sacsha is the resident PHP expert, so hopefully he spots this thread and can answer this for you. I know enough to read php but not to answer any serious questions... Java and Perl on the other hand
"When I disagree with a rational man, I let reality be our final arbiter; if I am right, he will learn; if I am wrong, I will; one of us will win, but both will profit." - Ayn Rand
You can do it that way, but a few suggestions:
Don't use the $show variable without prior checking. Someone could create a malicious URL like "other.php?page=../../allmypasswords" If you have only small amounts of content consider putting it all into one file like this: Code: Select all
Code: Select all
You could even compress this concept even more, using only one main index.php script which could be called like this: index.php?section=others&subsection=skins&show=eve But this is not very search engine friendly (they don't like variables in URL's) Hope this helps
My Post Is Gone
Sab, thanks for the tips. I don't know how useful that is for me in the long wrong since I will eventually have a lot of data and what not that will be loading in those pages. Right now it would be fine, but down the road it will be a nuisance to do it the above way (i think). Is there a way to easily secure the way I am doing it currently?
Yeah, in larger sites this will become very difficult to edit. That's usually the point where database-driven content management tools come in place (like here at mscl.com in the fanfiction section). If you don't want to list each possible "to-be-included-file" by exact name in a php script, you have to clean the $_GET["page"] and $_GET["show"] strings from any potential "bad things". The quick'n'dirty way would be to do some str_replace commands before using $page in an include command: Code: Select all
Code: Select all
But there are still holes. One could theoretically translate ".." in Unicode-characters etc... Wow, I hit the correct button.
Quick version: I am moving one of my sites to a new server and I coded the site in ASP originally. Now that I am moving onto a Linux box and some of my ASP scripts wont run correctly under APACHE::ASP I decided to recode it to PHP and at the same time build a *small* and *simple* content management system for the reviews section and an "other downloads" section. Sascha here killed that idea with his security concerns...so now I am debating where to go with it (though right now I did finish building the reviews section). I was working on other areas of the site tonight so I haven't had a chance to even try out some of his suggestions (but I will )
<pretending to comprehend technobabble>
Well, that clears it up! Candygirl was right, you need the LMNOP. You might also want to recalculate the TSR quantum simulator for a WDG-5000 inversion scenario. And, if all else fails, ATM fix everything! ATM! I have never killed a man, but I have read many obituaries with great pleasure.
-- Clarence Darrow I didn't attend the funeral, but I sent a nice letter saying I approved of it. -- Mark Twain Hm, I don't see how the "Lake Merritt Neighbors Organized for Peace" could be of any help here. --------------------------------------------- http://www.urban-hills.blogspot.com ---------------------------------------------
Who is onlineUsers browsing this forum: No registered users and 1 guest |