PHP Include to use urlid

Forum Moderators: coopster

Message Too Old, No Replies

PHP Include to use urlid

AlexB77

4:06 pm on Jul 23, 2011 (gmt 0)

Hey guys,

here is my problem, how can I correct the following code:

<?php include("add.php?urlid=<?=$_GET['urlid']?>");?>

to use is instead of

<iframe src="add.php?urlid=<?=$_GET['urlid']?>" width="100%" height="900px" frameborder="0" scrolling="no" marginwidth="0" marginheight="0"></iframe>

Is this possible at all?

Any suggestions are much appriciated.

Thanks

bkeep

4:12 pm on Jul 23, 2011 (gmt 0)

<?php include("add.php?urlid=$_GET[urlid]");?>

make sure you are sanitizing your GET request before dumping back out to the browser

AlexB77

4:43 pm on Jul 23, 2011 (gmt 0)

Thanks for this but id does not seem to be working, may be because something is wrong with the request of urlid.

How to sanitize the GET request?

Thanks again.

AlexB77

5:10 pm on Jul 23, 2011 (gmt 0)

Belo is my add.php file content, I am not 100% sure whether I should include <?php include("add.php?urlid=$_GET[urlid]");?>

Can someone help me please

<?

# Local Variables
$host = '';
$db_name = '';
$db_user = '';
$db_pass = '';
$path_to_file_directory = 'file-download/';

# Database Connection
mysql_connect( $host, $db_user, $db_pass);
mysql_select_db( $db_name ) or die(mysql_error());

# Get Link Variable
# Later, you will filter out possible injections (hacks)
$file_code = filter_input( INPUT_GET, 'urlid' );

# Query for file info
$res = mysql_query("SELECT * FROM `Templates` WHERE `file_display_name`='".$file_code."'") or die ( mysql_error() );

# If query is empty, there is a bad code name
# This catches possible hacking attempt.
if( mysql_num_rows($res) == 0 )
{
echo 'There will be no hacking on this website! ';
exit();
}

# Save file info into an array called "$info"
$info = mysql_fetch_assoc($res);

# File path is below
$file_path = $path_to_file_directory.$info['file_add'];

# Now push the download through the browser
# There is more than 1 way to do this.
if (file_exists($file_path)) {
echo '<iframe src="'.$file_path.'" width="100%" height="900px" frameborder="0" scrolling="no" marginwidth="0" marginheight="0"></iframe> ';
exit;
}

?>

penders

12:09 am on Jul 24, 2011 (gmt 0)

You don't seem to be reading $_GET['urlid'] in the code you have posted? So passing the URL parameter would not seem to influence the code anyway?

You should also check that urlid is in fact passed to your original script, otherwise you will get a warning.

$urlid = isset($_GET['urlid']) ? $_GET['urlid'] : null;

AlexB77

1:54 am on Jul 24, 2011 (gmt 0)

When I use iframe everything works just fine, but I am not too happy with the source code since if someone is clever enough then you can basicly see all file locations which in fact is not a good idea. So i thought that may be it will be possible to do the same but instead of passing on the file name and location I could just use include to generate the link to the file.

Thanks for your help

penders

8:43 am on Jul 24, 2011 (gmt 0)

It really depends on what you are trying to include. Using an iframe, the document is likely to be that... an entire document which behaves as an entirely separate document, with a head section, body, etc. Using a server-side include you are incorporating that other document/file into the current document/file. Would that work in your scenario?