Forum Moderators: coopster
<?php
$path = "includes";
$PageID = $_GET["pageid"];$filename = "$path/${PageID}.inc";
include($filename);
?>
I always get this warning 'Warning: main(includes/.inc): failed to open stream: No such file or directory in /usr/export/www/hosting/dkicks/index.php on line 46' when I am at index.php with no?pageid=x after it. I get that code because there there is no include file set when you open plain old index.php .
How would I set a main include for when you first open the index.php page and changes when the URL becomes index.php?pageid=x
thanks.
electricocean
$PageID = $_GET["pageid"];
if(isset($PageID))
{
$filename = "$path/${PageID}.inc";
include($filename);
}
else
{
whatever you want it to do without $PageID
}
Hope this helps.
Justin
It may be in the way you have your code calling for the filename. I know I recently had similar issues that seem to have been resolved by using the following
<?php
$path = "includes";
$PageID = $_GET["pageid"];
$filename = $path."/".$PageID.".inc";include($filename);
Might be worth a try.
Later!
IamStang
so now I am using this code:
<?php
$path = "includes";
$PageID = $_GET["pageid"];
if(isset($PageID))
{
$filename = "$path/${PageID}.inc";
include($filename);
}else
{
include($path/intro.inc);
}
?>
but that doesn't seem to work. Now I get these error:
1) Warning: Division by zero in /usr/export/www/hosting/dkicks/index.php on line 52
2) Warning: main(inc): failed to open stream: No such file or directory in /usr/export/www/hosting/dkicks/index.php on line 52
3) Warning: main(): Failed opening 'inc' for inclusion (include_path='.:') in /usr/export/www/hosting/dkicks/index.php on line 52
Does #1 mean I can't have in iclude file in the else stement?
What would I do do make it work?
thanks,
electricocean
electricocean
I hope you realise this is very dangerous in its current form......
We've all been there, but that's not very helpful. I think what he is trying to say is that your script is using information taken from the query string without validating it. You should put some sort of validation to ensure someone can't break your site by putting nasties in your query string.
if you just need it as a number you could try typecasting it as a whole number (integer):
$PageID = (int)$_GET["pageid"];
or if it's just letters you could use a perl regular expression to test that only characters a-z and 0-9 have been used:
if (preg_match("/^[A-z0-9]+$/i", $_GET["pageid"]))
{
$PageID = $_GET["pageid"];
} else {
$PageID = null;
}
You could do some more reading perhaps searching for XSS or path disclosure exploits if you need to learn more.
electricocean
yourdomain.com/index.php?page=1
the index.php page will take the $_GET['page'] variable and determine what page do display (maybe in a database, or flat file). What happens when you don't validate this data is that someone can enter anything into that?page= part of your URL and have it processed by your script:
yourdomain.com/index.php?page='; INSERT INTO users (username, password) VALUES ('badguy','')
If that page was processed directly by a database without any validation a hacker could insert login details directly into the database and subvert your site (look up SQL injection).
It can also be used to call files directly (by using the $_GET var directly in a include() or require()) or any manner of things.
I think in your example, it is probably unlikely to be subject to attack, but it's always best to protect against it anyway.
well an include file connects, thats for news, and thats pageid=1, is that a problem?
electricocean
A good rule of thumb is to validate ALL foreign data before using it in your scripts.
this is basically why I didnt respond in the way I would do normally :)
contains some pretty good info on several security related issues
also, about the stuff that applies to this particular example, I suggest you read this:
[onlamp.com...]
