Trying and failing to get this php include to work

Hi again

I’m trying to get a single index.php to pull content by supplying a ?page=somefile in php and if the ?page is not included in the url then it should default to loading news.php

this is what I have, the include for navigation works but the include for page content doesnt show anything

Thanks

<!DOCTYPE html>

<html lang="en">

	<head>

		<meta charset="UTF-8">
		<title>LoveBug</title>
		<link rel="stylesheet" href="/style.css" />

	</head>

	<body>

		<!-- navigation menu -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
		<!-- end navigation menu -->

		<!-- page content -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/' . isset($_GET[$page]) ? $_GET[$page] . '.php' : 'news.php'; ?>
		<!-- end page content -->

	</body>

</html>

ah sorry my bad, I just spotted the problem $page that should be ‘page’ damn it, lack of sleep is not good :stuck_out_tongue:

thanks

3 Likes

ah no ! it does serve pages now but if the ?page is not included in the url its not serving the news.php, something is wrong with the isset(…)

I used an if/else and it seems to have fixed the issue

<?php
if(isset($_GET[‘page’]))
$page = $_GET[‘page’];
else
$page = ‘news’;
include $_SERVER[‘DOCUMENT_ROOT’] . ‘/’ . $page . ‘.php’;
?>

panic mode canceled
thanks

btw is this safe ? can something be injected into the url ?

thanks

had to add a check if the file specified by ?page= exists too and if not it serves up the not found page, posting all this in case anyone needs it

complete index.php

<head>

	<meta charset="UTF-8">
	<title>LoveBug</title>
	<link rel="stylesheet" href="/style.css" />

</head>

<body>

	<!-- navigation menu -->
	<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
	<!-- end navigation menu -->

	<!-- page content -->
	<?php

		// get the required page or use default news page if page not specified
		if(isset($_GET['page']))
			$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
		else
			$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';

		// if page does not exit then use the not-found page
		if(!file_exists($page))
			$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';

		// include the page
		include $page;

	?>
	<!-- end page content -->

</body>

argh ! the page seems like it goes into an infinite loop if you put ?page=index

whats the best way to fix that ?

thanks

fixed it 99%, theres still a way to screw with it but its good enough for now

added test for ‘index’ and replace with ‘news’
complete index.php

<html lang="en">

	<head>

		<meta charset="UTF-8">
		<title>LoveBug</title>
		<link rel="stylesheet" href="/style.css" />

	</head>

	<body>

		<!-- navigation menu -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
		<!-- end navigation menu -->

		<!-- page content -->
		<?php

			// get the required page or use default news page if page not specified
			if(isset($_GET['page']) && $_GET['page'] != 'index')
				$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
			else
				$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';

			// if page does not exist then use the not-found page
			if(!file_exists($page))
				$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';

			// include the page
			include $page;

		?>
		<!-- end page content -->

	</body>

</html>

Nice, you fixed your own problem

1 Like

yeah that makes a change :stuck_out_tongue: actually its not completely fixed but good enough

theres a check for ‘index’ which serves ‘news’ instead to prevent infinite loops but if you do this

?page=../htdocs/index

then the test fails and it goes into an infinite loop of index.php loading index.php which loads index.php which loads index.php … you get the idea :stuck_out_tongue:

I was actually worried that I might get my account suspended for overloading the server when this mistake happened, I must fix it eventually

around 3 years ago (could be more as time flys by so fast) I started learning html css php javascript and now years later i still know hardly anything lol

1 Like

oh
good luck

1 Like

thanks

final fix for the infinite loop issue

change this

// get the required page or use default news page if page not specified
		if(isset($_GET['page']) && $_GET['page'] != 'index')

to this

			// get the required page or use default news page if page not specified
		if(isset($_GET['page']) && strpos($_GET['page'], 'index') === false)

this will check if ‘index’ is anywhere within the string supplied by ?page= , the downside is that you cannot have pages with the word index in the name, theres probably a better way to test for this but for now this will do for me anyway

Yes, this is not safe and can be used to inject something. Someone could definitely use this to enter a path to a file that you don’t want to expose. Someone could also use dots and slashes to access any PHP file in your site like this.

ah thanks I was thinking it might be an issue, I dont have anything other than my content pages on the site so maybe it’s ok ?

do you have any suggestions on how to improve this ?

thanks

I guess I could use php switch , something like this ?
switch ($GET_[‘page’])
{
case ‘news’:
$page=‘news.php’;
break;
case ‘projects’:
$page=‘projects.php’;
break;

}
// include $page

That should be safer right ? as I wouldnt be directly using the value supplied

1 Like

thanks it worked
new page include code

<?php

		// check for valid pages and set $page
		switch($_GET['page'])
		{
			case 'servers':
				$page = 'servers';
				break;

			case 'projects':
				$page = 'projects';
				break;
				
			case 'project-z80-disassembler':
				$page = 'project-z80-disassembler';
				break;
				
			case 'project-ladybug':
				$page = 'project-ladybug';
				break;
				
			case 'websites':
				$page = 'websites';
				break;
				
			case 'not-found':
				$page = 'not-found';
				break;
				
			default:
				$page = 'news';
				
		}
				
		// get the required page
		include $_SERVER['DOCUMENT_ROOT'] . '/' . $page . '.php';

	?>
	<!-- end page content -->

Yep, that’s much safer!

3 Likes

thanks again for your help

Just to let you know, try this script.

<?php
$valid = $_GET['valid'];
echo (isset($valid) ? 'true' : 'false');
echo (isset($invalid) ? 'true' : 'false');
echo (empty($valid) ? 'true' : 'false');
echo (empty($invalid) ? 'true' : 'false');
?>

isset($valid) would be true, regardless whatever you wrote, because that variable exists.
isset($invalid) would be false, because that variable doesn’t exist.
empty($valid) returns true if empty or doesn’t exist.
isset($invalid) would be false, because it doesn’t exist.

1 Like