That's it??? I mean I only have 1 file thats index.htm and I wanted to have files like index.php, header.php, footer.php as I have sidebar so I just wanted to put some includes
Yes - then you need a script for that ..... Some thing like this right http://demo.sundaybrewmedia.com But your colors and such
yea - you need a script ..... Or you need to create an index.php and then build includes or templates
<?php //check to see iuf someone trying to php insert $page = mysql_escape_string(htmlentities(addslashes($page))); $page = str_replace("http:", "...", $page); if(!file_exists($page.".php")){ $page=""; $check = 1;} //include the top of the page include('top.php'); //include the content if($check == 1) { echo "Could not include the requested URL."; } else { require_once($page.".php"); } //include the bottom of the page include('bottom.php'); PHP: there you are
Not really, mysql_escape_string could well break some peoples scripts, it's only necessary to call it if your interacting with mysql, and even then it's MUCH preferred to call mysql_real_escape_string as that takes notice of the charset in use and can take a database connection as a reference. This OP doesn't seem to be using sql and so calling it is totally unecessary and it won't do any good at all, just because you call a lotta functions doesn't make your pages safe ... <?php if(!defined("UNSET_PHP")) define("UNSET_PHP", 'home.php'); if(!defined("ROOT_PHP") ) define("ROOT_PHP", '/home/yourusername/www/' ); function _include( $file ) { return !file_exists( ROOT_PHP . $file ) ? false : include( ROOT_PHP . $file ); } include('top.php'); if( !_include( $_GET['page'] ? urldecode( $_GET['page'] . ".php" ) : UNSET_PHP ) ) die( "The page you requested is disallowed" ); include('bottom.php'); ?> PHP:
Ya - Listen to Joe man, He is one of the best coders on dp, I personally have used him on many products and scripts and this guy knows his shit...
...wow... that type of coding goes WAY above my level...heh... waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay above... *steals* lol
actually, that code was given to us by a guy who hacked our site and then stayed arround to help us close some holes. i'll be happy to replace his code any day. but, if i may ask, what does this do: if(!defined("ROOT_PHP") ) define("ROOT_PHP", '/home/yourusername/www/' ); PHP: isn't it defaulted to that anyway?
It's so that this line : return !file_exists( ROOT_PHP . $file ) ? false : include( ROOT_PHP . $file ); only includes files that are in that directory, a file_exists clause alone won't do, there may be files on the system that do exists with a php extension that could have sensitive or private information in, if you're going to give your script the power to include content dictated by the url, you should lock that data down to one directory, and that's how I chose to do it, for instance on servers with no base_dir restrictions, which most don't have, from your code I could include any php files that exist on the server, so if I had an account on that server and far more spare time than I do have, I might turn my attention to writing some xss php to steal the source code of your site by including files in my doc root. While using the get variables seems like a real good idea, easy to get content in, you should be careful when using it, if you can write some sort of cloak so that the word in the url has nothing in common with the word on disk, and as I said lock down the files you have permission to include to one directory, it may even be a good idea to change it to <?php if(!defined("UNSET_PHP")) define("UNSET_PHP", 'home.php'); if(!defined("ROOT_PHP") ) define("ROOT_PHP", '/home/yourusername/www/' ); function _include( $file ) { return !file_exists( ROOT_PHP . basename( $file ) ) ? false : include( ROOT_PHP . basename( $file ) ); } include('top.php'); if( !_include( $_GET['page'] ? urldecode( $_GET['page'] . ".php" ) : UNSET_PHP ) ) die( "The page you requested is disallowed" ); include('bottom.php'); ?> PHP: that's better ..... basename() should also be used to avoid ppl using paths like ../../path/to/file.php to get around the ROOT_PHP thing, wasn't really awake when I wrote that this morning .....
I've been trying to execute some PHP scripts in an HTML file and I've tried using the following htaccess codes to no avail; AddHandler application/x-httpd-php .htm AddType application/x-httpd-php .html .htm AddType text/html .php AddHandler php-script .php .html .htm AddType application/x-httpd-php .html AddType application/x-httpd-php .htm Is there any other htaccess code I could try???
you're not trying to include xml content are you ?? AddType application/x-httpd-php .html alone should work, some builds of apache and or php are built to ignore instructions from htaccess, good way to test is write total nonsense in an htaccess file, you're server should give you an Internal Server Error page if it parses the htaccess, if that does nothing then your server doesn't pay attention to htaccess files. If you are trying to include some xml content you'll have to think it out again, xml encoding should also start with <? pretty stupid really ...... Also, another thing, are you running in cgi mode or an apache dso ? look in a phpinfo() file near the top, "Server API" if that says cgi then that will cause problems also, post a link to phpinfo() if that is the case so I can have a look see
nope - it's all PHP scripts within an HTML file. I'll try it again. Just to confirm I should place the .htaccess file in the base directory ie public_html/ or www/ EDIT : I feel pretty stupid now. I just checked and one of the links on the test server had pointed me to the live server so I kept refreshing the live servers URL. It's all working fine on the test server.... except for the PHP errors which I'm glad to see.