Script help

**Goldfinger** · Sat 17 Aug '02, 10:27pm

um.. this is what i came up with.. and in a lot fewer lines of code too.

PHP Code:


<?php



//your extension

$ext = ".php";



switch ($page) {

//Content Pages

case $page:

$page = $page . $ext;

if (file_exists("$page")) {

include("$page");

} else {

include("default.php"); }

break; }

?>

just put the files with the extension you specify in the same directory as this script and it should run fine

**megahard** · Sun 18 Aug '02, 1:41am

that method isnt very secure

**Surrix** · Sun 18 Aug '02, 1:59pm

Ok well I need some more help because the way I'm doing it is not working.

PHP Code:


<?php 



switch($nav) 

{ 

case "about":

include ('about.txt');

break;



case "forums":

include ('forums.txt');

break;



case "contact":

include ('contact.html');

break;



case "staff":

include ('staff.txt');

break;



case "links":

include ('links.txt');

break;



case "downloads": 

include ('downloads.txt'); 

break; 



case "projects":

include ('projects.txt');

break;



default: 

include ('news.txt'); 

} 



?>

there is the script and it is currently running on www.surrix.net at this very moment but I have not included all the .txt files just yet but anyways when I click on the contact and forums link and you can test this out yourself on the site it gives me the default news.txt instead of the contact.html page I want it to give me anyone have solutions. Btw the reason default is news.txt is because I'm using a cgi news script that posts the news in news.txt so that is how I have the news included in my main page.

**mr e** · Sun 18 Aug '02, 5:20pm

ur links are wrong, it's not index.php?page=____, it should be index.php?nav=____

**Dan615** · Sun 18 Aug '02, 7:47pm

PHP Code:


<?



$page = (isset($_GET['page']) ? $_GET['page'] : '');



if ($page == '') {

    die('The link was screwed up...');

}





$filename = $page . ".txt";

if (!file_exists($filename)) {

    die("File doesn't exist: $filename");

}



include($filename);



?>

It's shorter, it's safer

**Goldfinger** · Mon 19 Aug '02, 3:51pm

Originally posted by megahard
that method isnt very secure

how is it NOT secure?

**MUG** · Mon 19 Aug '02, 5:11pm

script.php?page=../../some_other_thing_that_you_shouldnt_have_access_to

**Dan615** · Mon 19 Aug '02, 6:46pm

My method's the best!

**Goldfinger** · Mon 19 Aug '02, 7:57pm

Originally posted by Dan615

PHP Code:

<? $page = (isset($_GET['page']) ? $_GET['page'] : ''); $filename = $page . ".txt"; if (!file_exists($filename) && $page != ''") { include("index.html"); } include($filename); ?>

wouldnt that be a better solution.

**megahard** · Tue 20 Aug '02, 7:59am

Originally posted by Goldfinger

wouldnt that be a better solution.

no, u shud verify EVERYTHING that a user gives you, and the best way to verify it is with either 1) an array or 2) a switch

an array will let u use shorter aliases and will be secure.

**megahard** · Tue 20 Aug '02, 8:01am

Originally posted by Dan615
My method's the best!

ur method is identical to the other one except u let it work on register_globals off.

Your method would only work on newer version of PHP also.

It isnt secure either as it doesnt validate what the user is sending

**Dan615** · Tue 20 Aug '02, 9:07am

PHP Code:


<?



$page = (isset($_GET['page']) ? $_GET['page'] : '');



if ($page == '') {

    die('The link was screwed up...');

}



$page = str_replace('/', '', $page); // if they tried to throw in some directory names, take em out...



$filename = "./includes/" . $page . ".txt";

if (!file_exists($filename)) {

    die("File doesn't exist: $filename");

}



include($filename);



?>

There, that only lets them include txt files in the includes directory...

**Surrix** · Fri 23 Aug '02, 3:09pm

Well my way I have already typed and it works just fine and it looks good instead of the crazy mixed up crap.

**Scott MacVicar** · Fri 23 Aug '02, 3:47pm

Try some nice simple code

PHP Code:


if (empty($_REQUEST['page']) or strstr($_REQUEST['page'], '..') or !file_exists('./' . $_REQUEST['page'] . '.txt')) {

    include('./news.txt');

} else {

    include('./' . $_REQUEST['page'] . '.txt');

}

or for all you people wanting to make it as small as possible here it is on one line

PHP Code:


((empty($_REQUEST['page']) or strstr($_REQUEST['page'], '..') or !file_exists('./' . $_REQUEST['page'] . '.txt')) ? include('./news.txt') : include('./' . $_REQUEST['page'] . '.txt') )

so its just index.php?page=blah

Script help

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment