PHP Page includes..

**blindchild02** · Jan 11th, 2006, 06:32 PM

Well, for my site right now im using this:

Code:

<?php
				$view = $_GET['view'];
				if(!$view){$view = "home";}
				include"$view.php";
		  ?>

and for my links, i use ?view=pagename, and it loads the page in the place i put the php..

but i was informed that hackers can easily hack my server by inputting their own file, instead of my pagename...

are there any alternatives to this?
(im not a php coder)

**Web Design Forums** · Jan 11th, 2006 06:32 PM

**jbagley** · Jan 12th, 2006, 12:15 AM

I don't think a hacker could get in and hack your server that way... All a person could do is change the view=pagename into something, and if you didnt have a page named that, it would return a 404 (document not found).

So it's safe to use.

**blindchild02** · Jan 12th, 2006, 03:45 PM

well, i was told they could do.. ?view=http://page.com

or whatever, and it would mess me up and whatnot

**filburt1** · Jan 12th, 2006, 04:09 PM

Uh, they can request a file that does exist with sensitive information like a configuration file containing usernames and passwords.

**blindchild02** · Jan 12th, 2006, 05:11 PM

Originally Posted by filburt1

Uh, they can request a file that does exist with sensitive information like a configuration file containing usernames and passwords.

is that sarcasm or something? lol

**Fallout** · Jan 12th, 2006, 05:20 PM

Its not sarcasm at all... its a real issue. For example:

?view=.htpassword or ?view=.htaccess could be used to grab the passwords for any protected directories or ?view=../dbinfo.txt, etc. could let someone read your DB connection info.

**bfsog** · Jan 12th, 2006, 05:43 PM

One way is to define an array of allowed parameters, and if $_GET['view'] matches, then proceed.

PHP Code:


<?php



/* This script:

       gets the ?view param

       checks them against an array of allowed values

       if there is a match, run the include line.

      else, display a file of your choice/do what you wish

*/



$view = trim($_GET['view']); // remove extra spaces and so on..

// here is the array of allowed pages



$allow = array("home.php", "faq.php", "images.php", "blah.php");



// check for match



if(in_array($view, $allow)

         {

             include($view);

         }

else

         {

             include("defaultpage.php"); // you could use $array[0] for home.php

            // or you could echo "Baf user! etc..

         }

?>

Hope that helps.

**blindchild02** · Jan 13th, 2006, 09:22 AM

and i add that where i want the page to load??

and do i keep the ?view=page for the links?

**bfsog** · Jan 13th, 2006, 09:25 AM

You add that to whatever page you want to include the page.

For example, you have a file named page.php which includes the value of ?page

Your link would be like

HTML Code:

<a href="page.php?view=faq.php">View faq</a>

**blindchild02** · Jan 14th, 2006, 10:02 AM

I get this error:

arse error: parse error, unexpected '}' in index2.php on line 146

Thread: PHP Page includes..

LinkBack

Thread Tools

Search Thread

Display

Remove Ads

Posting Permissions