Ok its late, bear with me - but im a noob on the php front. Ok well on most fronts but I do get there with sheer will eventually. Im in the process of remaking a site using php to control the navigation. I have a very limited understanding of what I am doing so please feel free to use "idiot speak" in your answers. Dont go getting too fancy with me or I might look blank. I have created a template and applied the following code to an index page which then calls in each content section depending upon the item selected in the menu. These content pages sit in a folder called "inc" in the root directory. 1) home.php 2) about.php 3) contact.php 4) events.php 5) error.php Below is the additional code I have used prior to the included content section. Its all working nicely. My understanding is this makes it less likely a hacker will have their way with stealing web space as its checks for each page title prior to putting out content. // 1. Define an array of allowed $_GET values: $pass = array('home','about','contact','events'); // 2. If the page is allowed, include it: if (in_array($_GET['id'], $pass)) { include ($_SERVER['DOCUMENT_ROOT'] . '/inc/' . $_GET['id'] . '.php'); } // 3. If there is no $_GET['id'] defined, then serve the homepage: elseif (!isset($_GET['id'])) { include ($_SERVER['DOCUMENT_ROOT'] . '/inc/home.php'); } // 4. If the page is not allowed, send them to an error page: else { // This sends the 404 header: header("HTTP/1.0 404 Not Found"); // This includes the error page: include ($_SERVER['DOCUMENT_ROOT'] . '/inc/error.php'); } Here are my questions: 1) In your opinion does this insert make my site safe from hackers? 2) do I have to define every single page on my site in line 1 "Define an array of allowed $_GET values" - is there a better way to do this? my site is about 20 - 30 pages! 3) is there anything else I should be doing to make my site more secure. At this time I am only using includes. Thanks heaps for looking ps if you are learning too I found this site most helpful digital-web.com/articles/easypeasy_php_2/
Hackers can't hack stuff in this way. The best way to make a php site is to create a page for each of your content pages and then use includes to pull in your header, navigation and footer files.
I agree with mad4 about using a separate page for each content page, with the includes to pull in 'fluff', as opposed to a single 'fluff' page, using includes to pull in the content. However, if you want to go down your path, I would suggest this: assuming all of your include files are in the /inc/ directory, you don't need to define all of the allowed pages. Strip $_GET['id'] of any periods, slashes and so on... you just want letters, numbers and maybe a few punctuation marks allowed. Once that's all been stripped, you don't need to worry about someone giving you a $_GET['id'] of something like '../../secretpasswordprinter' if you get my drift. Anyway, once you have that, use the file_exists function to see if the given ID exists as a file in the inc subdirectory. If it does, include it, otherwise show your error...
Oh man... I just spent a week getting my head around setting it up this way. Hmmm now would you both be saying this because of potential future issues with code getting a bit messy? Is it less complicated to keep them all separate - or is there another reason why you would use separate pages for each content page Just out of interest - the way ive got it set up (one central page) how would this effect download times? Im assuming that my header footer stays and the content is the only thing called in each time. Or am I misunderstanding this and my pages are loading header footer content each page change? Also of the two options (one central vs individual pages) is there a noticible load rate difference?
The best way to build a site is to start off with a header, footer and menu that you can include to any page. Then you create a few different pages for the different sections of your site. Its still possible to pull the content into your pages from a database this way. Essentially you are trying to seperate the page template from the actual workings of each page. Then you can do a full site redesign by just changing the header and footer.
Hi Mad4 thank you so much for answering once again your perls of wisdom have been very helpful. Thanks TwistMyArm for your suggestions.. Im quite the novice when it comes to php so im not familiar with writing code yet. But I will retain this information for when im more fluent and will apply it. At the moment my one master page includes a header, footer, navigation and a middle content include (which changes with each new navigation selection). Its currently working. I was poised to move on to additional set up items - but now you guys have identified that the central page idea is not ideal. I'm not sure how best to proceed - I understand that you lean towards the separate page method as being "best" (using the usual header footer includes) But as I have this up and running (and gee I hate throwing away things that seem to work) what would help me make a move would be knowing what in your experience are the disadvantages to using the one central page method? does it get too complicated? Im in limbo until someone enlightens me!
Theres nothing worse than working for a week on something then realising youve been working on the wrong thing.. I could have had a lie down in the bath with a nice glass of red!
So can no one give me an indication as to the cons for the central page method.. the only one I can see is the loss of meta tags for individual pages.. I suppose thats a biggie..
I am having a nice glass of Cab Sauv at present. Good stuff too! I agree with Mad4 and twisty. Having an include folder in your directory to hide your includes is the only way to go. It will stop hackers from getting in to your pages. However, if they are good enough, they will find a way into your directory and mess around with it. Then again, if it is worth their while to hack in. I've seen it before and I suppose will see it again. There are some who have taken even further measures with some extra security placed on the inlcudes folders. I have not seen this but have heard fo it. Apparently has to be sanctioned by your web host. Hope it all goes well for you. Col
Thanks wimpering warrior (hehe cool handle) Excellent ive polished off the bottle and have set to modifying my includes structure as suggested. Thanks so much for your input Im guessing that this site really probably doesnt have any hidden information worth hacking into.. just a bunch of sports statistics and event information. However partial knowledge is a dangerous thing! I dont know enough to know what the other issues are.. could anybody give me the heads up as to what other potential risks im looking at for not setting up additional security on my inc folder? Tomorrow im starting on the top shelf.. who knows perhaps this will help replenish my dusty design goggles. Ive spent so long focusing on the back end workings my graphics are starting to suffer! im starting to get super scroogey on the download times.. "images".. why would you want "images" I hear myself saying.
is will be great if you use class also.. try to use class for full OOP.. so the system will be like this /includes/class => this is for ur class and includes *.inc.php /images/ /tmp/ /public_html/ => this if for the client side, the client can only access this folder /templates/ => this if for the interface area
For extra safety, create a .htaccess file in the inc/ directory with the following contents: deny from all Code (markup): If your host doesn't allow you to use distributed configuration via .htaccess you can also consider a "direct access" check via a macro; in index.php you put something like: define('ALLOW', 1); Code (markup): and in each of the /inc/*.php files: defined('ALLOW') or die("You're not allowed to access this file directly"); Code (markup):