I’m trying to get a single index.php to pull content by supplying a ?page=somefile in php and if the ?page is not included in the url then it should default to loading news.php
this is what I have, the include for navigation works but the include for page content doesnt show anything
Thanks
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>LoveBug</title>
<link rel="stylesheet" href="/style.css" />
</head>
<body>
<!-- navigation menu -->
<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
<!-- end navigation menu -->
<!-- page content -->
<?php include $_SERVER['DOCUMENT_ROOT'] . '/' . isset($_GET[$page]) ? $_GET[$page] . '.php' : 'news.php'; ?>
<!-- end page content -->
</body>
</html>
had to add a check if the file specified by ?page= exists too and if not it serves up the not found page, posting all this in case anyone needs it
complete index.php
<head>
<meta charset="UTF-8">
<title>LoveBug</title>
<link rel="stylesheet" href="/style.css" />
</head>
<body>
<!-- navigation menu -->
<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
<!-- end navigation menu -->
<!-- page content -->
<?php
// get the required page or use default news page if page not specified
if(isset($_GET['page']))
$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
else
$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';
// if page does not exit then use the not-found page
if(!file_exists($page))
$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';
// include the page
include $page;
?>
<!-- end page content -->
</body>
fixed it 99%, theres still a way to screw with it but its good enough for now
added test for ‘index’ and replace with ‘news’
complete index.php
<html lang="en">
<head>
<meta charset="UTF-8">
<title>LoveBug</title>
<link rel="stylesheet" href="/style.css" />
</head>
<body>
<!-- navigation menu -->
<?php include $_SERVER['DOCUMENT_ROOT'] . '/navigation.php'; ?>
<!-- end navigation menu -->
<!-- page content -->
<?php
// get the required page or use default news page if page not specified
if(isset($_GET['page']) && $_GET['page'] != 'index')
$page = $_SERVER['DOCUMENT_ROOT'] . '/' . $_GET['page'] . '.php';
else
$page = $_SERVER['DOCUMENT_ROOT'] . '/news.php';
// if page does not exist then use the not-found page
if(!file_exists($page))
$page = $_SERVER['DOCUMENT_ROOT'] . '/not-found.php';
// include the page
include $page;
?>
<!-- end page content -->
</body>
</html>
yeah that makes a change actually its not completely fixed but good enough
theres a check for ‘index’ which serves ‘news’ instead to prevent infinite loops but if you do this
?page=../htdocs/index
then the test fails and it goes into an infinite loop of index.php loading index.php which loads index.php which loads index.php … you get the idea
I was actually worried that I might get my account suspended for overloading the server when this mistake happened, I must fix it eventually
around 3 years ago (could be more as time flys by so fast) I started learning html css php javascript and now years later i still know hardly anything lol
// get the required page or use default news page if page not specified
if(isset($_GET['page']) && $_GET['page'] != 'index')
to this
// get the required page or use default news page if page not specified
if(isset($_GET['page']) && strpos($_GET['page'], 'index') === false)
this will check if ‘index’ is anywhere within the string supplied by ?page= , the downside is that you cannot have pages with the word index in the name, theres probably a better way to test for this but for now this will do for me anyway
Yes, this is not safe and can be used to inject something. Someone could definitely use this to enter a path to a file that you don’t want to expose. Someone could also use dots and slashes to access any PHP file in your site like this.
I guess I could use php switch , something like this ?
switch ($GET_[‘page’])
{
case ‘news’:
$page=‘news.php’;
break;
case ‘projects’:
$page=‘projects.php’;
break;
}
// include $page
That should be safer right ? as I wouldnt be directly using the value supplied
isset($valid) would be true, regardless whatever you wrote, because that variable exists.
isset($invalid) would be false, because that variable doesn’t exist.
empty($valid) returns true if empty or doesn’t exist.
isset($invalid) would be false, because it doesn’t exist.