[PHP] Includes.

Lilian · 19-06-2007, 05:22 PM

Hey,

I have just done a website with php includes so far so good but 1 problem.

PHP Code:


?page=comments?id=$b[id]

That link wont work. I know its the ?id=$b[id] but how could I go about fixing it?

Thanks

Ini · 19-06-2007, 05:26 PM

Originally Posted by !Lily

Hey,

I have just done a website with php includes so far so good but 1 problem.

PHP Code:


?page=comments?id=$b[id]

That link wont work. I know its the ?id=$b[id] but how could I go about fixing it?

Thanks

change

PHP Code:


?page=comments?id=$b[id]

to

PHP Code:


?page=comments&id=$b[id]

Lilian · 19-06-2007, 05:28 PM

Thanks +Rep

Ini · 19-06-2007, 05:35 PM

No problem im here to help.

Well sort of... ;l

~~Blob~~ · 19-06-2007, 06:23 PM

And you can just keep adding aswell

?view=hello&me=is&not=gay&so=lets&go=to&bed=please

Invent · 19-06-2007, 06:59 PM

Make sure the includes script has protection, this is a good example of a secure including script:

PHP Code:


<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {
    
    $page = $_GET[ "page" ];
    $page = str_replace( ".", "", $page);
    $page = urlencode( $page );
    $page = htmlentities( $page );
    $page = "". $page .".php";

    if( file_exists( $page ) ) {
    
        include( "$page" );
    
    }
    else {
    
        include( "404.php" );
    
    }
}

?>

Lilian · 19-06-2007, 07:01 PM

Originally Posted by Invent

Make sure the includes script has protection, this is a good example of a secure including script:

PHP Code:


<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {
    
    $page = $_GET[ "page" ];
    $page = str_replace( ".", "", $page);
    $page = urlencode( $page );
    $page = htmlentities( $page );
    $page = "". $page .".php";

    if( file_exists( $page ) ) {
    
        include( "$page" );
    
    }
    else {
    
        include( "404.php" );
    
    }
}

?>

Yer thanks ive already got that

Invent · 19-06-2007, 07:03 PM

:p I got bored, so I decided to make it lol.

Mentor · 19-06-2007, 07:07 PM

Originally Posted by Invent

Make sure the includes script has protection, this is a good example of a secure including script:

PHP Code:


<?php

if( isset ( $_GET[ "page" ] ) && !empty( $_GET[ "page" ] )) {
    
    $page = $_GET[ "page" ];
    $page = str_replace( ".", "", $page);
    $page = urlencode( $page );
    $page = htmlentities( $page );
    $page = "". $page .".php";

    if( file_exists( $page ) ) {
    
        include( "$page" );
    
    }
    else {
    
        include( "404.php" );
    
    }
}

?>

A good alternative i find is just to keep the files in a dir and hardcode it to the script which prevents any misuse

PHP Code:


$page = $_GET[ "page" ];
$location = "pagesfolder/".$page.".php"; 
    if( file_exists($location) ) {
        include($location);
    }else {
         include( "defultpage.php" );
    }

put what u like in the url, pagesfolder/http://haxzorsite.hax/l33t.php.php aint gona be found.

ps. -removed- i was wrong, im to use to js escapting

Invent · 19-06-2007, 07:09 PM

Yes, but I thought incase for some odd reason they may want to protect files from another folder being accessed.

Because with your script the user could do ?page=../../page.php

Not sure why you need to block it but yeah

Thread: [PHP] Includes.

Thread Tools

[PHP] Includes.

Posting Permissions