Sounds like register_globals [us2.php.net] is on at your friend's site but not yours.

Try adding this ahead of your first if statement:
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = '';

As an aside, what you're doing has some security issues. It would be better to put the allowed file names in an array and check to make sure that the page being requested is ok:
$allowed = array('index.php','home.php','forum.php','about.php');
Then the first line I posted above turns into:
if(isset($_GET['p']) && in_array($_GET['p'],$allowed))

Thanks for that, it works great now.

I found this snippet here, would this suffice? If not, I will use your code;

This goes in the page's header:

<?
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = '';
if(!$p){$p='home';}

$remove = array(
"http", "www", ".com", ".net", ".org", ".tk", ".nl", ".br", ".ru", ".tv", ".mobi", ".co.uk", ".php", ".php3", ".php4", ".php5", ".txt", ".html", ":", "/", ".", ","
);
$p = str_replace($remove, "", $p);
?>

This goes in the table where I want the code to place the page it pulls in;

<? include $p.".php"; ?>

Is this correct, and safe? It seems to work, but I don't want any security holes..

-Michael

It's a fair generic approach, but since you're explicitly providing the content you can be more comprehensive. If you don't think your friend would want to mess with the php file to add pages as they're created, another approach would be to put all files which are allowed to be accessed that way in a specific directory. Then use your str_replace method to eliminate periods and slashes, and check for file existence in the single directory.

Please forgive me cameraman, but I'm still very new to PHP and don't understand how to do what you've described.

This is the code I have working for me right now;

In the header:

<?
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = '';
if(!$p){$p='home';}

$remove = array(
"http", "www", ".com", ".net", ".org", ".tk", ".nl", ".br", ".ru", ".tv", ".mobi", ".co.uk", ".php", ".php3", ".php4", ".php5", ".txt", ".html", ":", "/", ".", ","
);
$p = str_replace($remove, "", $p);
?>

In the table, where the .php file will be displayed once pulled into the index:

<? include $p.".php"; ?>

When I visit a page that doesn't exist (e.g: ?p=nonexistantpage) I get the following error:

Warning: main(nonexistantpage.php) [function.main]: failed to open stream: No such file or directory in /home/****/public_html/****/index.php on line 60

Warning: main(nonexistantpage.php) [function.main]: failed to open stream: No such file or directory in /home/****/public_html/****/index.php on line 60

Warning: main(nonexistantpage.php) [function.main]: failed to open stream: No such file or directory in /home/****/public_html/****/index.php on line 60

Warning: main() [function.include]: Failed opening 'nonexistantpage.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/****/public_html/****/index.php on line 60

I realize this is because the page doesn't exist, but I wanted it to echo back regular old text, such as:

This page doesn't exist!

However, visiting pages that do exist (e.g: ?p=home or ?p=forum) does pull in the correct page now, and without errors, even with register_globals disabled.

A few more questions:

1.) How can I do what you've described above (using str_replace to remove periods and slashes) using the code I already have that's working?

2.) How do I get the code to echo plain text (as described above) back when the visited page doesn't exist?

I just had my host enable register_globals for my account, but the original code I posted still doesn't work, so maybe something else is disabled that needs to be enabled?

-Michael

[edited by: Michael85 at 11:54 pm (utc) on Jan. 25, 2009]

Many hosts will not enable Register_Globals because there are security concerns in using it.

My host did enable it, but it didn't solve the issue.

-Michael

You have the include in an if in your first post, which is how you'd want to do it to avoid the warning.
$remove = array(
"http", "www", ".com", ".net", ".org", ".tk", ".nl", ".br", ".ru", ".tv", ".mobi", ".co.uk", ".php", ".php3", ".php4", ".php5", ".txt", ".html", ":", "/", ".", ","
);
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = 'home';
$p = str_replace($remove, "", $p);

if(file_exists("$p.php")){
include("$p.php"); } else { echo"Page doesn't exist!"; }

If you want the file included lower down ("In the table, where the .php file will be displayed"), then put those last two lines in that spot.

Your removal array doesn't contain .cz and .biz (and possibly others) - anytime a new tld is born, you would need to add it to your array. You would implement an array of allowed files this way:

$allowed = array('index','home','forum','about');
$remove = array(":","/",".",",");
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = 'home';
$p = str_replace($remove, "", $p);

if(file_exists("$p.php") && in_array("$p.php",$allowed)){
include("$p.php"); } else { echo"Page doesn't exist!"; }

If you wanted to allow any file an "allowed" directory:
$remove = array(":","/",".",",");
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = 'home';
$p = str_replace($remove, "", $p);

if(file_exists("allowed/$p.php")){
include("allowed/$p.php"); } else { echo"Page doesn't exist!"; }

You probably noticed that the removal arrays in the last two methods are considerably shorter. Although above I said "you would need to add it" with regard to new tld's, that's not really true in this case because you're checking for file existence. The important thing becomes insuring that they're staying on your server and in the directory you expect. Eliminating slashes, colons, and periods does that. I don't really think the comma is necessary but I left it in 'just cuz'.

Oh and have your host turn register_globals back off - you don't want it, and you don't want to get used to having it.

Thanks for the help, I really appreciate it!

I've contacted my host about disabling register_globals.

I tried implementing the codes you gave, but no matter what page I visit on my site it always echos back 'Page doesn't exist!'

I did this;

I removed the code (listed in a previous post.
I added this code to the header;

$allowed = array('index','home','forum','about');
$remove = array(":","/",".",",");
if(isset($_GET['p']))
$p = $_GET['p'];
else
$p = 'home';
$p = str_replace($remove, "", $p);

I then added this 'In the table, where the .php file will be displayed';

if(file_exists("$p.php") && in_array("$p.php",$allowed)){
include("$p.php"); } else { echo"Page doesn't exist!"; }

Then I tried to visit my site, and got this message on every page;

Page doesn't exist!

I followed the same procedure as above for the second code you listed, but it threw out the same message.

I would really like to use one of the codes you posted in the last reply for my own site (which is what I'm working on now).

Is there any obvious reason that it would display 'Page doesn't exist' on every page of the site?

-Michael

[edited by: Michael85 at 7:05 pm (utc) on Jan. 26, 2009]

Yep, I made a mistake - I'd started with the 'allowed' array I showed you a few posts ago, but then I'd stripped the extensions because of the remove array. This line:
if(file_exists("$p.php") && in_array("$p.php",$allowed)){

Remove the red part. See, it's checking to see (for example) if home.php is in the array, but it isn't - home with no extension is what's in the array.

I'm not seeing any glaring errors in the second method - are you understanding that for that to work, you need a subdirectory called "allowed" and the scripts that you want to include need to be in that subdirectory?

Works great now, thanks for the fix.

I see now where you told me I needed a sub-directory named 'allowed'. I missed it the first time around.

EDIT: I was going to stick with the first one, but I decided to go with the second one, and it works great.

Thanks for all of the help,

-Michael

[edited by: Michael85 at 4:37 am (utc) on Jan. 27, 2009]