Hey,

I have just done a website with php includes so far so good but 1 problem.


?page=comments?id=$b[id]

That link wont work. I know its the ?id=$b[id] but how could I go about fixing it?

Thanks

Hey,

I have just done a website with php includes so far so good but 1 problem.


?page=comments?id=$b[id]That link wont work. I know its the ?id=$b[id] but how could I go about fixing it?

Thanks

change


?page=comments?id=$b[id]

to


?page=comments&id=$b[id]

Thanks +Rep

No problem im here to help.

Well sort of... ;l

And you can just keep adding aswell

?view=hello&me=is&not=gay&so=lets&go=to&bed=please

Make sure the includes script has protection, this is a good example of a secure including script:



<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {

$page = $_GET[ "page" ];
$page = str_replace( ".", "", $page);
$page = urlencode( $page );
$page = htmlentities( $page );
$page = "". $page .".php";

if( file_exists( $page ) ) {

include( "$page" );

}
else {

include( "404.php" );

}
}

?>

Make sure the includes script has protection, this is a good example of a secure including script:



<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {

$page = $_GET[ "page" ];
$page = str_replace( ".", "", $page);
$page = urlencode( $page );
$page = htmlentities( $page );
$page = "". $page .".php";

if( file_exists( $page ) ) {

include( "$page" );

}
else {

include( "404.php" );

}
}

?>


Yer thanks ive already got that :)

:p I got bored, so I decided to make it lol.

Make sure the includes script has protection, this is a good example of a secure including script:



<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {

$page = $_GET[ "page" ];
$page = str_replace( ".", "", $page);
$page = urlencode( $page );
$page = htmlentities( $page );
$page = "". $page .".php";

if( file_exists( $page ) ) {

include( "$page" );

}
else {

include( "404.php" );

}
}

?>

A good alternative i find is just to keep the files in a dir and hardcode it to the script which prevents any misuse



$page = $_GET[ "page" ];
$location = "pagesfolder/".$page.".php";
if( file_exists($location) ) {
include($location);
}else {
include( "defultpage.php" );
}

put what u like in the url, pagesfolder/http://haxzorsite.hax/l33t.php.php aint gona be found.

ps. -removed- i was wrong, im to use to js escapting

Yes, but I thought incase for some odd reason they may want to protect files from another folder being accessed.

Because with your script the user could do ?page=../../page.php

Not sure why you need to block it but yeah :)

Yes, but I thought incase for some odd reason they may want to protect files from another folder being accessed.

Because with your script the user could do ?page=../../page.php

Not sure why you need to block it but yeah :)
What your suggestion wouldnt work since the dir is hard coded. ?page=../../page would be opening

pagesfolder/../../page.php, and to my knowlage the ../../ doesn't work unless its at the beginning to the directory name?

Although it does allow you to open a subdirectry within your pages directory should you want to.

pagesfolder/../../page.php would open the file page.php 2 folders below pagesfolder I'm pretty sure.

Erm.. Isn't this going a bit of topic lol.

pagesfolder/../../page.php would open the file page.php 2 folders below pagesfolder I'm pretty sure.

Just created a test script in my testing server. I want able to get it to open a page outside the dir by adding in ../../ "/

* scratch that, yes i was. Dang. Could make it work by createing a custom page extention though, which wouldnt be used outside the dir :D (or just filtering../../

just filter "." it's not needed whatsoever :)