homepage Welcome to WebmasterWorld Guest from 54.205.247.203
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Beginner trying to simplify script
calvinmicklefinger




msg:4147808
 8:32 pm on Jun 6, 2010 (gmt 0)

I am building links in the form of ...

<a href="http://mysite.com/?i=1">Link Text</a>

Which works fine with this simple switch statement ...

<?php
$var = $_GET['i'];
switch ($var) {
case 1:
include '1.php';
break;
case 2:
include '2.php';
break;
case 3:
include '3.php';
break;
default:
include 'notlost.php';
}
?>


I would like to simplify this statement so that it will operate faster, and I will not have to add a new switch statement each time I add a new page. I have tried ...

<?php
$var = $_GET['i'];
if ($var =='')
include 'notlost.php';
else
include "$var.php";
?>


It doesn't seem to work. I get a blank page when I try to use the if-else staement.

What have I messed up?
Kirk

 

calvinmicklefinger




msg:4147810
 8:36 pm on Jun 6, 2010 (gmt 0)

Well piddle. Must have been a typo.

On a lark I copied the code from this page into my site and it works.

I apologize for wasting your Angstrom units.

Matthew1980




msg:4147813
 8:48 pm on Jun 6, 2010 (gmt 0)

Hi there calvinmicklefinger,

Well with respect to your snippet, either the switch or the if/elseif/else will work just as well, just depends on your preference, BUT, the only thing I will advocate here is this: Because you are using the $_GET['']; superglobal, you need to do some basic cleansing, ie:-

<?php
$var = strip_tags($_GET['i']);
if ($var =='')
include 'notlost.php';
else
include "$var.php";
?>


Hope this helps you ;)

[EDIT:] You reminded me of a previous thread, have a read through this, Coopster has a great suggestion there for you - similar sort of question with the same answer methinks ;)
[webmasterworld.com ]

Cheers,
MRb

calvinmicklefinger




msg:4147818
 9:13 pm on Jun 6, 2010 (gmt 0)

Thanks Matthew ...

Any and all coding help is sorely appreciated. Old fogey's like me think in terms of pencil and paper and this thing with the Angstrom units flowing all over the world is still a mystery.

Thanks again!
I'll add that housekeeping now!

Matthew1980




msg:4147828
 9:32 pm on Jun 6, 2010 (gmt 0)

Hi there calvinmicklefinger,

I just googled Angstrom to see if it meant what I thought, made me laugh a little as my profession is mass spectrometry - and we work on particle/ion level - so your context of use is rather apt.

No problem for the help, this forum and the people who use it are very knowledgeable, I would be lost without the advice/help and tips from its patrons.

Have fun with the code, and you are never too old to learn.

Cheers,
MRb

[edited by: Matthew1980 at 10:13 pm (utc) on Jun 6, 2010]

calvinmicklefinger




msg:4147838
 9:55 pm on Jun 6, 2010 (gmt 0)

Hi Matthew,

I learned about Angstrom and his units back in 1958 when I entered the army at a very young and tender age.

I was assigned to the radar unit of a Nike missle site defending Gary, Indiana, from the "Commie" threat. On my first day in the radar trailer, I was sent to the Quartermaster and told to bring back a bucket of Angstrom units. As soon as the Quartermaster chuckled and sent me off to the Mess Sergeant, I knew I was being "had." I spent the rest of the day going from one old hand to another, having a nice time wandering around the base and relaxing. That night I immediately went to the library and looked up Angstrom Units.

Remembered it ever since. It still surprises me how few folks with Electrical Engineering or Computer Science degrees know what it is.

Cheers, and thanks again.

rocknbil




msg:4147906
 12:51 am on Jun 7, 2010 (gmt 0)

If that is your real structure, $_GET['i'] is expected to be a number, right? You want to make sure the file actually exists . . . and it's not someone injecting something for a different php include, like, oh I donno, phpinfo.php . . . .


if (
(isset($_GET['i']) and is_numeric($_GET['i']) and ($_GET['i'] > 0)
and is_file($_SERVER['DOCUMENT_ROOT']."/".$_GET['i'].".php")
) {
$include = $_SERVER['DOCUMENT_ROOT']."/".$_GET['i'].".php";
}
else {
include($_SERVER['DOCUMENT_ROOT']."/notlost.php");
}
include($include);

Accept only what you expect and throw everything else away. If you expect a number or nothing, this would filter it just as well.

With an array, you have a controlled set of known inputs, which kinda does the same thing, it's only allowing includes "within my accepted set." When you're deciding the included file based on input, you need to be more restrictive.

script.php?i=phpinfo

would reveal a whole lotta stuff about your server you don't want some people seeing, if you forget and leave it on there.

calvinmicklefinger




msg:4147950
 4:26 am on Jun 7, 2010 (gmt 0)

This is what I wound up with. It seemed to simplify a lot of things and handles a lot of different situations. Please remember, I aren't no coder, so I hope it is bug proof. Please advise if it amn't.

In my .htaccess ...
DirectoryIndex index.php
RewriteEngine On
RewriteRule ^([A-Za-z0-9]+)$ /index.php?i=$1 [L]


In my index.php ...
<?php
$var = strip_tags($_GET['i']);
if (file_exists("$var.php"))
{
include "$var.php";
}Else{
include '0.php';
}
?>


Seems to work so far, and handles missing pages. But, as you say, it could run phpinfo.php if I accidentally wind up with it in my root.

I don't know enough code to understand the globals you are using ... What do you think I can do to make this better? How can I protect against things like code injections?

Matthew1980




msg:4147995
 7:09 am on Jun 7, 2010 (gmt 0)

Hi all,

Oop's Yes Rocknbil, I should have noted that possibility, so instead of using strip_tags() is_numeric() would have been and is the best way to go with that, and I only just noticed as there were no curly braces on the original post - but I am sure that can still function, and that the use of curly's is just good practise and clears up ambiguity between clauses. If I am wrong, please let me know.

Just to clarify - replace strip_tags with is_numeric() - that's if your file system is based on numbers

Happy coding calvinmicklefinger,

Cheers,
MRb

rocknbil




msg:4148224
 4:42 pm on Jun 7, 2010 (gmt 0)

Yeah, probably don't need to check for > 0 now that I'm seeing it roll out. :-)

Some things here . . . .

RewriteRule ^([A-Za-z0-9]+)$ /index.php?i=$1 [L]

So this will pipe almost everything to the domain root in a query string. Some examples that will wind up as i in $_GET

/phpinfo :-) (but your script will filter it out and point it to 0.php for an include, using is_numeric())
/anyfile (0.php)
/1
/2

What WON't go to index.php,

/some-file
/some_other_file

A direct request to a domain root won't, but that will probably go to index.php by default if you don't have an index.htm(l). So again, 0.php

So I am presuming you are still only accepting requests for numeric URL's right? So you can make this more specific:

RewriteRule ^(\d+)$ /index.php?i=$1 [L]

\d and 0-9 are equivalent, and no need for a class. Just a bit of info, [A-Za-z] and either of those with a no case modifier are also equivalent:

RewriteRule ^([a-z]+)$ /index.php?i=$1 [NC,L]

Just a question, is this experimental or intended for a live site? The reason I ask is

example.com/4

Is not a real fruitful URL in terms of SEO and user experience, but

example.com/buy-cool-widgets

might be. But with what you've done so far, it wouldn't be too difficult to change tactics.

calvinmicklefinger




msg:4148265
 5:40 pm on Jun 7, 2010 (gmt 0)

What WON't go to index.php,

/some-file
/some_other_file

I've come to the conclusion that I may need to be pretty flexible with the filenames. I'm thinking the easiest way would be to put them in a "content" sub-directory which I can control and won't run the risk of being cluttered up with so many files in the root that I get confused.
Just a question, is this experimental or intended for a live site? The reason I ask is

example.com/4

Is not a real fruitful URL in terms of SEO and user experience, but

example.com/buy-cool-widgets

might be.

I hadn't been worried about trying to be SEO fodder. I am running long term email campaigns (into our second year now) with JV partners and wanted their pages to be sort of "hidden" from casual visitors. i.e., no navigation links on the pages. Everyone arrives at a specific landing page by way of a link in an email message or on someone else's site. Mainly this is so Ralph can make one offer for my product and George can make a different one.

I've had feedback that this will cause Google to see everything as "duplicate content" and drop me from a "ranking," but I'm not sure how to adapt for that.

However, being able to name a page ...

example.com/some-cool-name or
example.com/some-really-cool-name

is looking more attractive all the time.

A direct request to a domain root won't, but that will probably go to index.php by default if you don't have an index.htm(l). So again, 0.php

I removed the index.htm(l) bunch, and placed this code in the index.php so that a call to the root loads 0.php

I think I'll move the content to some strangely named content folder. That sound worthwhile? Any additional advice. Old fogey's learn slow. (You know, the Old Dog, New Tricks syndrome here.)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved