Forum Moderators: coopster
The part I want to grasp soon is how I can do this when the files are coming from separate directories. For example, if
/leftfield/ contains index.html and swords.html-
The function looks like this in my html:
<?
if(!$file)
{
$file='home';
}
include($file.".inc");
?>
<ul>
<li><a href="index.php?file=home">Home</a></li>
<li><a href="index.php?file=leftfield">Open Up</a></li>
<li><a href="index.php?file=pe">Flava</a></li>
<li><a href="index.php?file=jackdangers">RUOK</a></li>
</ul>
Since some files are coming in from a directory, and some are coming in from the root- is there a way to adjust the bolded code to appreciate that? I would like this practice to be secure as well, am I looking at mod rewrite?
Know what I mean? Thanks for any insights you might provide.
Madcat
include $DOCUMENT_ROOT . $file . ".inc";
then the path will always be right no matter what directory your file is in, if I understood exactly what you are asking.
<?
if(!$file)
{
$file='home';
}
include($file.".inc");
?>
you should check whether this file really exists. If not, you could redirect to an error site or to the start page. Sometimes user type other things than the should type. These are that kind of bugs that can be avoided easily.
Greetings NN
If you are using code like this
I'm actually trying to figure out the code to use. Seems all of the tutorials stop after explaining how to include your header/footer.inc files.
I want to switch content from separate directories in and out of a variable in the main html template - But in a secure way - I may not be looking in the right places, but haven't been doing this long at all, so...
Thanks-
M
I see a few options,
1 use mod_rewrite to cover the get string
2 use posted data instead
3 swap to numerical values to increase abstraction
4 In your included file hardcode the options in a switch case or something else so that erroneous values can't be used.
I want to switch content from separate directories in and out of a variable in the main html template - But in a secure way
To go the secure way you only have to check the input data. Especially if they can be manipulated by the users. There are two questions to ask:
1. What will happen if the input = "".
2. What will happen if the input is wrong.
The PHP functions is_file () and is_dir () manage the problem whether a file exists or not exists.
Greetings NN
Nick is right - check to make sure the file exists, and if not, do something intelligent (include a "not found" message, redirect to hompage using header() or whatever is appropriate given the situation)
What security issue are you worried about specifically? If you use strip_tags() that helps. Of course they can change which file is included by editing GET params, but if they can get a script onto your server, they would probably just address it directly. So the security issues should be the roughly the same.
The only thing to add is that any files with passwords should be outside your web root.
Tom
