Trying and failing to get this php include to work

lovebug · January 25, 2021, 3:36pm

Hi again

I’m trying to get a single index.php to pull content by supplying a ?page=somefile in php and if the ?page is not included in the url then it should default to loading news.php

this is what I have, the include for navigation works but the include for page content doesnt show anything

Thanks

<!DOCTYPE html>

<html lang="en">

	<head>

		<meta charset="UTF-8">
		<title>LoveBug</title>
		<link rel="stylesheet" href="/style.css" />

	</head>

	<body>

		<!-- navigation menu -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
		<!-- end navigation menu -->

		<!-- page content -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/' . isset($_GET[$page]) ? $_GET[$page] . '.php' : 'news.php'; ?>
		<!-- end page content -->

	</body>

</html>

lovebug · January 25, 2021, 3:39pm

ah sorry my bad, I just spotted the problem $page that should be ‘page’ damn it, lack of sleep is not good

thanks

lovebug · January 25, 2021, 3:42pm

ah no ! it does serve pages now but if the ?page is not included in the url its not serving the news.php, something is wrong with the isset(…)

lovebug · January 25, 2021, 3:50pm

I used an if/else and it seems to have fixed the issue

<?php if(isset($_GET['page'])) $page = $_GET['page']; else $page = 'news'; include $_SERVER['DOCUMENT_ROOT'] . '/' . $page . '.php'; ?>

panic mode canceled
thanks

lovebug · January 25, 2021, 3:52pm

btw is this safe ? can something be injected into the url ?

thanks

lovebug · January 25, 2021, 4:22pm

had to add a check if the file specified by ?page= exists too and if not it serves up the not found page, posting all this in case anyone needs it

complete index.php

<head>

	<meta charset="UTF-8">
	<title>LoveBug</title>
	<link rel="stylesheet" href="/style.css" />

</head>

<body>

	<!-- navigation menu -->
	<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
	<!-- end navigation menu -->

	<!-- page content -->
	<?php

		// get the required page or use default news page if page not specified
		if(isset($_GET['page']))
			$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
		else
			$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';

		// if page does not exit then use the not-found page
		if(!file_exists($page))
			$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';

		// include the page
		include $page;

	?>
	<!-- end page content -->

</body>

lovebug · January 25, 2021, 4:49pm

argh ! the page seems like it goes into an infinite loop if you put ?page=index

whats the best way to fix that ?

thanks

lovebug · January 25, 2021, 4:59pm

fixed it 99%, theres still a way to screw with it but its good enough for now

added test for ‘index’ and replace with ‘news’
complete index.php

<html lang="en">

	<head>

		<meta charset="UTF-8">
		<title>LoveBug</title>
		<link rel="stylesheet" href="/style.css" />

	</head>

	<body>

		<!-- navigation menu -->
		<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
		<!-- end navigation menu -->

		<!-- page content -->
		<?php

			// get the required page or use default news page if page not specified
			if(isset($_GET['page']) && $_GET['page'] != 'index')
				$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
			else
				$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';

			// if page does not exist then use the not-found page
			if(!file_exists($page))
				$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';

			// include the page
			include $page;

		?>
		<!-- end page content -->

	</body>

</html>

Coder_Cool · January 25, 2021, 7:22pm

Nice, you fixed your own problem

lovebug · January 25, 2021, 9:53pm

yeah that makes a change actually its not completely fixed but good enough

theres a check for ‘index’ which serves ‘news’ instead to prevent infinite loops but if you do this

?page=../htdocs/index

then the test fails and it goes into an infinite loop of index.php loading index.php which loads index.php which loads index.php … you get the idea

I was actually worried that I might get my account suspended for overloading the server when this mistake happened, I must fix it eventually

around 3 years ago (could be more as time flys by so fast) I started learning html css php javascript and now years later i still know hardly anything lol

Coder_Cool · January 25, 2021, 10:06pm

oh
good luck

lovebug · January 25, 2021, 10:11pm

thanks

lovebug · January 26, 2021, 3:21am

final fix for the infinite loop issue

change this

// get the required page or use default news page if page not specified
		if(isset($_GET['page']) && $_GET['page'] != 'index')

to this

			// get the required page or use default news page if page not specified
		if(isset($_GET['page']) && strpos($_GET['page'], 'index') === false)

this will check if ‘index’ is anywhere within the string supplied by ?page= , the downside is that you cannot have pages with the word index in the name, theres probably a better way to test for this but for now this will do for me anyway

Admin · January 26, 2021, 3:06pm

Yes, this is not safe and can be used to inject something. Someone could definitely use this to enter a path to a file that you don’t want to expose. Someone could also use dots and slashes to access any PHP file in your site like this.

lovebug · January 26, 2021, 4:04pm

ah thanks I was thinking it might be an issue, I dont have anything other than my content pages on the site so maybe it’s ok ?

do you have any suggestions on how to improve this ?

thanks

lovebug · January 26, 2021, 4:19pm

I guess I could use php switch , something like this ?
switch ($GET_[‘page’])
{
case ‘news’:
$page=‘news.php’;
break;
case ‘projects’:
$page=‘projects.php’;
break;

}
// include $page

That should be safer right ? as I wouldnt be directly using the value supplied

lovebug · January 26, 2021, 4:43pm

thanks it worked
new page include code

<?php

		// check for valid pages and set $page
		switch($_GET['page'])
		{
			case 'servers':
				$page = 'servers';
				break;

			case 'projects':
				$page = 'projects';
				break;
				
			case 'project-z80-disassembler':
				$page = 'project-z80-disassembler';
				break;
				
			case 'project-ladybug':
				$page = 'project-ladybug';
				break;
				
			case 'websites':
				$page = 'websites';
				break;
				
			case 'not-found':
				$page = 'not-found';
				break;
				
			default:
				$page = 'news';
				
		}
				
		// get the required page
		include $_SERVER['DOCUMENT_ROOT'] . '/' . $page . '.php';

	?>
	<!-- end page content -->

Admin · January 26, 2021, 6:41pm

Yep, that’s much safer!

lovebug · January 26, 2021, 6:43pm

thanks again for your help

HTMLJSCSS · January 26, 2021, 6:50pm

Just to let you know, try this script.

<?php
$valid = $_GET['valid'];
echo (isset($valid) ? 'true' : 'false');
echo (isset($invalid) ? 'true' : 'false');
echo (empty($valid) ? 'true' : 'false');
echo (empty($invalid) ? 'true' : 'false');
?>

isset($valid) would be true, regardless whatever you wrote, because that variable exists.
isset($invalid) would be false, because that variable doesn’t exist.
empty($valid) returns true if empty or doesn’t exist.
isset($invalid) would be false, because it doesn’t exist.