5 replies to this topic

[winuu]

Many people use this way to include pages in their PHP files:

<?php
if ($page = "software")
{
  include "software.php";
}
elseif ($page = "moose")
{
  include "moose.php";
}
elseif ($page = "about")
{
  include "about.php";
}
else
{
  include "default.php";
}
?>

The above code can be made simply by effectively using the Switch statement:

<?php
switch ($page)
{
  case "software":
  case "moose":
  case "about":
    include "$page.php";
    break;
  default:
    include "default.php";
    break;
}
?>

Now, if REGISTER_GLOBALS is set off in php.ini, just replace $page with $_GET["page"], and it should work.

[adam123]

They work basically the same, a better way would be:

<?php

if (file_exists($_GET['page'] . ".php"))
{
  include $_GET['page'] . ".php";
}
else
{
  include "404.php";
}

?>

Oh yeah, you shouldn't really use $page instead of $_POST['page']/$_GET['page'] as it poses as a security threat.

[MaRmAR]

if you use

import_request_variables("gp");

somewhere at the start of your PHP, you will not have to use variable format like $_GET["page"]...

[winuu]

They work basically the same, a better way would be:

<?php

if (file_exists($_GET['page'] . ".php"))
{
  include $_GET['page'] . ".php";
}
else
{
  include "404.php";
}

?>

Oh yeah, you shouldn't really use $page instead of $_POST['page']/$_GET['page'] as it poses as a security threat.

Actually, that would just be an easier way, not necessarily a better way to do it; the code sample you provided actually has a security flaw. It allows the user to include any page/file on the server.

[adam123]

Yeah, but why the hell would you store important files UNPROTECTED in a directory anyone can view? Users can't view files in .htaccess/.htpass protected pages, they can't view files below the current directory, etc. etc.
I'm not going to get into an argument about this as it's stupid, but i'm just proving my point.

[winuu]

Never mind...