"Container" DIV with an infinite loop.

Forum Moderators: coopster

Message Too Old, No Replies

"Container" DIV with an infinite loop.

Infinite looping without error code

danpink

11:31 am on May 8, 2011 (gmt 0)

I have the following code inside a "content" div on my index page, if I click any of the links in my navigation bar, the relevant pages load into the "content" div. it works exactly as I need it to!


if (isset($_GET['page']))
{
 include($_GET['page']);
 }
 
else
 {
 include("./home.php");
 }

However, if I change the URL manually to say: mywwebsite/index.php??page=index.php, the index page loads itself into the "content" div and i get a hall of mirrors effect in the div. i realise this cannot be good!

I now this is a basic error on my part but just cannot see it, any help would be great!

danpink

11:35 am on May 8, 2011 (gmt 0)

Sorry, I already started with a syntax error in to that post.
There should only be one question mark in the manual URL example!

astupidname

12:34 pm on May 8, 2011 (gmt 0)

$page = $_GET['page'];
if ($page && !preg_match('/index\.php/i', $page) && preg_match('/\.php$/i', $page) && file_exists($page)) {
include($page);
}

danpink

12:51 pm on May 8, 2011 (gmt 0)

PERFECT!
That's exactly what I needed!

Thanks alot for your speedy fix astupidname :D

eelixduppy

1:23 pm on May 8, 2011 (gmt 0)

You may want to do further checking on the file name because scripts like this can open up huge security holes in your website. This pretty much lets me include any php file on your server.

danpink

4:58 pm on May 8, 2011 (gmt 0)

Thanks for pointing that out, I see what you mean!

Fortunately, the only other php files I have, other than index.php are going to be included anyway but...

It's likely I will use other php files in the future that I won't want included in the 'content' DIV, could you recommend a secure way of ONLY allowing the files in my nav to be included?

rocknbil

4:57 pm on May 9, 2011 (gmt 0)

I's bigger than that. This would probably fail if the server is set up right, but an example of the damage that could be done . . .

mywwebsite/index.php?page=/etc/passwd

<oops> :-)

danpink

6:53 pm on May 9, 2011 (gmt 0)

It looks like my server is set up correctly as it seems it will not show anything other than a .php file this way or anything out of /public_html or /www .

Thanks for your comments!

jspeed

9:10 pm on May 9, 2011 (gmt 0)

If you are going with that structure for your site, and going back to your original error, with the "loop" effect, You could load the pages into an array that you want to be able to include:

if(!isset($_GET['page'])){
$page = 'home';
} else {
$page = $_GET['page'];
}

$acceptable_page = array(
'home',
'services',
'clients',
'employment'
);

// make sure the page is in the acceptable pages array
if ( !in_array( $page, $acceptable_page ) )
{
echo "File Not Found";
}

else
{
include("$page.php");
}

danpink

9:59 pm on May 9, 2011 (gmt 0)

jspeed, You must have read my mind! I've just been reading up on arrays but couldn't quite understand how to only include what was in the array!

Your code worked great! I'm very grateful for you help!