majesticreality

I'm trying to make it so that when I click say the "contact" page, the URL stays as mysite.com/index.php . I was wondering if someone could tell me how to make the complete link to do that, my friend told me to do

But I couldn't get it to work, maybe i'm retarded? Thanks for the help!

Mad_guy

You use $_GET, and that code your friend gave you sucks.

First off, if you ever tell people to tell you to do it this way:[php]<?
include($_GET['page']);

//Or alternitavely

$page = $_GET['page'];
include($page);
?>[/php]Please, for me, tell them to shut the fuck up. Because that is probably the WORST thing you can ever do, your website would be vulnerable as hell if you did that. I assume your friend ment for you to do that.

I have to go now, but just know not to do that, I'll return later with an explanation as to why that's bad and how to fix it so you won't get the hell hacked out of your site.

majesticreality

haha thanks man, i'm curious as to why that would make it unsecure; and i'm also curious as to if he knew it would be... hmm haha, what a jerk :mad:

but if I use


Where in the code do I put the text that i'm linking?

(who knew that adding a simple link would cause me the most trouble )

tempest

If you have that code on any of your pages i can take control of your server and make your server go fetch me some brazilian coffee and charge $10,000 on your phone-bill for it (you can be on ethernet, but it'll work if you still have dial-up plugged in...).

This is really the only safe alternative...

[php]
// Include Directory...
$inc_dir = "/var/www/include/";

// Check to see if file exists in include
// directory on server, if so include it...
if(file_exists($inc_dir . $_GET['page'] . ".php"))
include($inc_dir . $_GET['page'] . ".php");
[/php]

__________________

Ooble

This is the method I use:
[php]// check the file desired against an array of allowed files
$files = array('home', 'contact', 'private/other_stuff');
// insert more pages here (minus the .php extension) when you need them

for ($i = 0; $i < count($files); $i++) {
if (isset($_GET[$files[$i]])) {
$file = $files[$i];
break;
}
}

// redirect to the home page if no file is requested
if (!$file) {
$file = 'home';
}[/php]

You use this code to include the page:
[php]include ($file . '.php');[/php]

And you call the files like so:

__________________
Me :: You :: Them

Pseudo Class

I use tempest's method.

__________________
Mhm...Ramen.

Mad_guy

Actually tempest, that's just as bad.

In that case I can use a the string delimiter NULL (\0 AKA %00) to avoid that check and still fetch me shit and include whatever I want. Also known as The Poison NULL Byte. Like:
http://www.site.com/?page=http://www...badcode.txt%00

The remedy to this problem is by simply using htmlentities.

[php]<?
function verifypage($page) {
$page = htmlentities($page);
if(!file_exists("pages/".$page.".txt")) {
$contents = "Page not found, err0r.";
} else {
$pageopen = fopen("pages/".$page.".txt","r");
while(!feof($pageopen)) {
$line = fgets($pageopen,1024);
$formattedline = wordwrap($line,70,"\n");
$$formattedline = nl2br($line);
$contents .= $formattedline;
}
fclose($pageopen);
}
return $contents;
}
?>[/php]
That's a function I developed to make sure things go correctly.

And also, you'll almost always have a PHP script somewhere on your server you don't want included somehow, so that'll fuck things up too.

Just thought you should know. Because your script is still really inefficient and insecure.

FYI: I read line by line just out of habit, after a good coder advised me to do that in certain situations. Don't mind it.