Welcome to WebmasterWorld Guest from 18.210.28.227

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP Include to use urlid

     
4:06 pm on Jul 23, 2011 (gmt 0)

Full Member

10+ Year Member

joined:Apr 26, 2009
posts: 286
votes: 6


Hey guys,

here is my problem, how can I correct the following code:

<?php include("add.php?urlid=<?=$_GET['urlid']?>");?>

to use is instead of

<iframe src="add.php?urlid=<?=$_GET['urlid']?>" width="100%" height="900px" frameborder="0" scrolling="no" marginwidth="0" marginheight="0"></iframe>

Is this possible at all?

Any suggestions are much appriciated.

Thanks
4:12 pm on July 23, 2011 (gmt 0)

Full Member

10+ Year Member

joined:June 1, 2007
posts:201
votes: 0


<?php include("add.php?urlid=$_GET[urlid]");?>

make sure you are sanitizing your GET request before dumping back out to the browser
4:43 pm on July 23, 2011 (gmt 0)

Full Member

10+ Year Member

joined:Apr 26, 2009
posts: 286
votes: 6


Thanks for this but id does not seem to be working, may be because something is wrong with the request of urlid.

How to sanitize the GET request?

Thanks again.
5:10 pm on July 23, 2011 (gmt 0)

Full Member

10+ Year Member

joined:Apr 26, 2009
posts: 286
votes: 6


Belo is my add.php file content, I am not 100% sure whether I should include <?php include("add.php?urlid=$_GET[urlid]");?>

Can someone help me please

<?

# Local Variables
$host = '';
$db_name = '';
$db_user = '';
$db_pass = '';
$path_to_file_directory = 'file-download/';

# Database Connection
mysql_connect( $host, $db_user, $db_pass);
mysql_select_db( $db_name ) or die(mysql_error());

# Get Link Variable
# Later, you will filter out possible injections (hacks)
$file_code = filter_input( INPUT_GET, 'urlid' );

# Query for file info
$res = mysql_query("SELECT * FROM `Templates` WHERE `file_display_name`='".$file_code."'") or die ( mysql_error() );

# If query is empty, there is a bad code name
# This catches possible hacking attempt.
if( mysql_num_rows($res) == 0 )
{
echo 'There will be no hacking on this website! ';
exit();
}

# Save file info into an array called "$info"
$info = mysql_fetch_assoc($res);

# File path is below
$file_path = $path_to_file_directory.$info['file_add'];

# Now push the download through the browser
# There is more than 1 way to do this.
if (file_exists($file_path)) {
echo '<iframe src="'.$file_path.'" width="100%" height="900px" frameborder="0" scrolling="no" marginwidth="0" marginheight="0"></iframe> ';
exit;
}

?>
12:09 am on July 24, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3153
votes: 7


You don't seem to be reading $_GET['urlid'] in the code you have posted? So passing the URL parameter would not seem to influence the code anyway?

You should also check that urlid is in fact passed to your original script, otherwise you will get a warning.
$urlid = isset($_GET['urlid']) ? $_GET['urlid'] : null;
1:54 am on July 24, 2011 (gmt 0)

Full Member

10+ Year Member

joined:Apr 26, 2009
posts: 286
votes: 6


When I use iframe everything works just fine, but I am not too happy with the source code since if someone is clever enough then you can basicly see all file locations which in fact is not a good idea. So i thought that may be it will be possible to do the same but instead of passing on the file name and location I could just use include to generate the link to the file.

Thanks for your help
8:43 am on July 24, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3153
votes: 7


It really depends on what you are trying to include. Using an iframe, the document is likely to be that... an entire document which behaves as an entirely separate document, with a head section, body, etc. Using a server-side include you are incorporating that other document/file into the current document/file. Would that work in your scenario?