Practical Navigation

nuk3 posted this at 00:11 — 22nd December 2002.

Joined: May 2002

I'm currently using the following code for my navigation:

<?php
$page = @$_SERVER['QUERY_STRING']; 
if ($page) { 
   include \"includes/$page.php\"; 
} else { 
   echo \"<span class=\\"text\\">No page selected!</span>\"; 
} 
?>

I was wondering if anyone knows of something better that uses a similar method to this. I dont like using this code because it has no file check built in to see if the file exists before it tries to include it..

Renegade posted this at 00:31 — 22nd December 2002.

He has: 3,022 posts

Joined: Oct 2002

<?php
$page = @$_SERVER['QUERY_STRING'];

if ($page) {
  file_exists ($page) {
    include \"includes/$page.php\";
  }

} else {

  echo \"<span class=\\"text\\">No page selected!</span>\";

} 
?>

I'm quite new to php but i think that may work, if it don't then the funtion is there... :S

Mark Hensler posted this at 00:51 — 22nd December 2002.

He has: 4,048 posts

Joined: Aug 2000

close...

<?php
$page = @$_SERVER['QUERY_STRING'];

if ($page) {
  if (file_exists($page)) {
    include \"includes/$page.php\";
  }
} else {
  echo \"<span class=\\"text\\">No page selected!</span>\";
} 
?>

Mark Hensler
If there is no answer on Google, then there is no question.

Renegade posted this at 02:06 — 22nd December 2002.

He has: 3,022 posts

Joined: Oct 2002

lol, opps :S i forgot the if() function with it

nuk3 posted this at 02:44 — 22nd December 2002.

They have: 238 posts

Joined: May 2002

Thanks for your help

Also would it be possible to include a 404 page if the page doesn't exist and if no query is entered a statement "no page selected" can appear. Is that possible?

Abhishek Reddy posted this at 02:55 — 22nd December 2002.

He has: 3,348 posts

Joined: Jul 2001

Wouldn't it have to be

<?php
    if (file_exists(\"includes/$page.php\")) {

    include \"includes/$page.php\";

  }
?>

nuk3 posted this at 06:12 — 22nd December 2002.

They have: 238 posts

Joined: May 2002

Quote: Originally posted by Mark Hensler
close...

<?php $page = @$_SERVER['QUERY_STRING']; if ($page) { if (file_exists($page)) { include \"includes/$page.php\"; } } else { echo \"<span class=\\"text\\">No page selected!</span>\"; } ?>

I'd hate to burst your bubble Mark but that code doesn't work, the page doesn't show up?

Mark Hensler posted this at 07:06 — 22nd December 2002.

He has: 4,048 posts

Joined: Aug 2000

try this then...

<?php
$page = @$_SERVER['QUERY_STRING'];

if (isset($page)) {
    $page = \"includes/$page.php\";

    if (file_exists($page)) {
        include($page);
    }
    else {
        echo \"Specified page does not exist. ($page)\";
    } 
}
else {
    echo \"No page specified!\";
} 
?>

Mark Hensler
If there is no answer on Google, then there is no question.

Mark Hensler posted this at 07:07 — 22nd December 2002.

He has: 4,048 posts

Joined: Aug 2000

and beware... there is NO security in the above code.

Consider the following:
your_page.php?page=../.htaccess

Renegade posted this at 08:04 — 22nd December 2002.

He has: 3,022 posts

Joined: Oct 2002

Quote: Originally posted by Mark Hensler
and beware... there is NO security in the above code.

Consider the following:
your_page.php?page=../.htaccess

How would get aroun that?

Fataqui posted this at 13:02 — 22nd December 2002.

They have: 17 posts

Joined: Jan 2002

This may seem like over kill...

but, I never trust anything coming into my scripts.

I also read into the directory instead of file_exists();
because I have seen it cause trouble on some windows systems!

<?php
// error 1 = bad page name i.e., (\"page\" can only contain (a-z0-9)/i

// error 2 = bad page name i.e., (\"page\" to include does not exist)

// if a error is found redirect to....

$home = \"/members\";

// only allow by [GET METHOD], you can change this!

if (isset($_GET['page'])) {

// define $test....

$test = \"\";

// convert $_GET to simple $var name

$page = $_GET['page'];

// test what is coming into the script

// never trust anything sent to your scripts!

$test = verify($page);

// if the (page test = verify function) returns [0]
// everything is (OK) OK = include page was found
// so include the page from the (GET METHOD)

if ($test == 0) {

include('includes/'.$page.'.php');

} else {

// if the (page test = verify function) returns [1]
// something went wrong > (could be only 2 things)
// 1. bad page name [a-z0-9] only
// 2. include page not found.......
// redirect them, or change and (echo a error!)

header(\"Location: $home/\");

exit;

}

} else {

// we got here because there is no (GET METHOD $var ['page'])
// redirect them, or change and (echo a error!)

header(\"Location: $home/\");

exit;

}

// the function to verify the request from the users browser!

function verify($page) {

$test = 0;

// path to the includes directory

$dir = \"some_directory/on/your/server/to/includes\";

$check = \"\".$page.\".php\";

// change this to what you will allow in your include page names

if(!preg_match(\"/^[a-z0-9]+$/i\", $page)) { 

$test = 1;

} else {

$test = 1;

$handle=opendir($dir); 

while (($file = readdir($handle))!== false){ 

if ($file != \".\" && $file != \"..\" && $file != \".htaccess\") {

if ($file == $check) {

$test = 0;

}

}

}

closedir($handle);

}

return $test;

}
?>

nuk3 posted this at 00:27 — 23rd December 2002.

They have: 238 posts

Joined: May 2002

Hmmm, overkill it may be, but after reading through it seems allot safer.. What does everyone else think?

Mark Hensler posted this at 07:20 — 23rd December 2002.

He has: 4,048 posts

Joined: Aug 2000

It's always best to be paranoid about data coming into your scripts.

It's a very good idea to pattern match the filename first. That will prevent any wise guys from trying to navigate your filesystem.

The only ideal solution, IMO, is to know which files are allowed to be included. And to only include those files (such as a large CASE selection).

Side note... this IF statement is uneccessary:
if ($file != "." && $file != ".." && $file != ".htaccess") {

Mark Hensler
If there is no answer on Google, then there is no question.

Renegade posted this at 07:01 — 24th December 2002.

He has: 3,022 posts

Joined: Oct 2002

Yeah, don't you just hate people who do that? They think, just because it's there they should go have a look at it and see what havoc they can do? ...

ROB posted this at 00:09 — 25th December 2002.

They have: 447 posts

Joined: Oct 1999

also include will return false on failure, so a more compact method of testing success would be...

<?php
include(\"includes/$page.php\") or die(\"Page doesn't exist: $page.php\");

// or

if(!include(\"includes/$page.php\")) { // do something }
?>

nuk3 posted this at 00:49 — 26th December 2002.

They have: 238 posts

Joined: May 2002

How can I make it so underscores and hyphens are allowed to be used? I cant make any sense of that validation code

nuk3 posted this at 01:50 — 26th December 2002.

They have: 238 posts

Joined: May 2002

No need to worry anymore, I've decided to scrap all the fancy scripting and include the template on each page, thanks for all your help anyway!

Mark Hensler posted this at 04:45 — 26th December 2002.

He has: 4,048 posts

Joined: Aug 2000

For the record...
if(!preg_match("/^[a-z0-9]+$/i", $page)) {

becomes:
if(!preg_match("/^[a-z0-9_\-]+$/i", $page)) {

nuk3 posted this at 11:53 — 26th December 2002.

They have: 238 posts

Joined: May 2002

I'll keep that code handy, I might need it again..