<?php if($_GET[page] == "") { include("main.php"); } else{ include($_GET['page'].".php"); } ?> Code (markup): I have been told many times(by Godaddy once) that this include script is unsafe. Is it?
If you really have to do that, I would explicitly define the possible values. Like: if ($_GET['page'] == "members") { include ("membership.php"); } where the name of the page you're including isn't the actual name of the variable being passed. This will limit the possibilities that can be used. I can't think of any reason why you would absolutely need to do that though. What you're doing could potentially be a problem, because anyone could use a query string in the URL to view or pass information to ANY page on your site (including pages you might not want them to be sending information to), and could really do some damage if they just randomly start blasting your site with an automated script.
So confused =\ Im trying to get it so the content part changes and not the side bars and such. This is the only way to do it that I know of.
I would create a template file for the header, side bars, and footer and use them on each page, but create each page individually. that way, say you had 3 files: index.php contact.php aboutus.php all of those files would include header.php, sidebar.php and footer.php, but you don't have to pass any information about what the site is doing in the URL. To update your header, menu bar, or footer, you just have to edit the files once for the changes to happen across your whole site.
Or you can use it like this: <?php if($_GET['page'] == "") { include("main.php"); } else{ include(basename($_GET['page'].".php")); } ?> PHP: basename will strip every directory in the URL. Only problem with this method is that you cannot use values like "members/statistics" as a parameter anymore, because "members" would be stripped out as well.
if I were you, I would do this. <?php $page = strtolower($_GET['page']); if($page == "") { include("main.php"); } else{ include($page.".php"); } ?> PHP: The only thing you will need to do is. In your URL enter the file name in upper case. For example http://www.yea-baby.com/index.php?page=ABOUTus This way a possible hacker might think the file name is ABOUTus.php, but in reality it is aboutus.php .
But thing is, if you enter a URL such as http://www.yea-baby.com/index.php?page=../../some_private_file , you are able to reach a file which would normally be protected from being displayed. The strtolower-method will not work against that
even with basename they could still access any file in the same directory. I think this is a bad idea, I would avoid doing this altogether... Or track IPs & file access in a db so you know exactly who's accessing what files!!
Ahh yeah, I suppose there are ways to make it secure-ish. But it seems like an awful lot of work compared to just making a template file for the menu bar, header and footer and including them in all your pages.
file_exists and basename are the way to go. Anything else is just plain insecure. <?php $pagedir="/home/site/www/pages/"; $page=basename($_GET['page'],".htm"); // Just to be extra super paranoid: if (!eregi("^[a-z0-9\-]+$",$page)) { echo "Invalid character detected"; exit; }; $page=$page.".htm"; if (file_exists($pagedir.$page)) { include $pagedir.$page } else { include "main.php"; } ?> PHP: Depending on what you're doing this will give you a great way to load/maintain pages as only the content part will change. All the other bits can be kept in this one php file.
James_r, Lets assume the file above is called loader.php If we put all other template related items into loader.php you then have one place to manage and maintain the look of your entire site. Want to add a new menu item? Edit loader.php Want to restructure the look of the whole site? Edit loader.php While your way is good it means editing multiple PHP files for the same effect. At least in the case of change 2. If anyone can find a flaw in the above code I'd be interested to see it.
I have a question, why not create static shtml/php pages and use an include for the header and footer code?
This would be the solution james_r suggested! But if you want to restructure the whole layout of the site lateron (like including another script at every call) it is harder to manage, because you would have to change every single page. In this solution (a central "loader" page, which includes other pages depending on how it is called) only one page needs to be changed, which makes it a little easier to handle
Most people would do: <?php include "header.php"; ?> PHP: ... html content ... <?php include "footer.php"; ?> PHP: There's nothing horribly wrong with this idea. I'm just suggesting a different way of thinking. Instead create a loader.php file with all the relevant bits you want: <?php include "header.php"; include "navbar.php"; // include page loader code from above incldue "footer.php"; ?> PHP: All the pages in your site would then be referenced as: http://www.site.com/loader.php?page=contact For example. You would then have a file called conact.htm with just the appropriate contact us information. Since most sites follow a template structure this works quite well. Lets say for some strange reason you want to remove the navbar from all your pages. With your code you'd have to edit several PHP files and delete the include line. (Yes I know you could just empty out navbar.php). With the above code you would just delete the line from one file.
Oops, didn't read all the replies... For me, this is my favorite option: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>Unique page title - site title</title> <meta name="description" content="unique description for each page" /> <!--#include file="my_header.asp"--> <h1>content</h1> blah blah, main content <br /><br /> <!--#include file="my_footer.asp"--> HTML: this way, each page has it's unique title, descriptions, keywords... if you want to edit the layout, just change the header and footer files... I'm not sure, but from what I heard, google likes static pages better then ? pages better too...
Try this tutorial I wrote: namepros.com/webmaster-tutorials/293008-php-tutorial-index-php-page-yourpage.html
Well, I went out of my way to write a script to show you why it's insecure, but I didn't think it through very well and ended up just writing a cURL based brute-force username/password cracker that would work on your solution or mine if the site had a login form. It's a pretty simple script that doesn't account for captchas or time-delayed IP banning for multiple login attempts (but that's easy enough to add in). I won't post it here... it's not exactly what I was going for. So in the end, I think it's reasonable to say that your solution is as secure as any other, but I have to agree with tarponkeith that's it's good form to use a template based approach (shtml or PHP) that allows you to use different title/keywords/meta tags on each page. But that could easily be added into your solution. Good stuff!