Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    Regular Coder
    Join Date
    Aug 2002
    Posts
    264
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Why No extension on filename?

    My site has this script below to have an index and pages, but I wanted it to be where the extensions are there like index.php?page=news.html not index.php?page=news because for the php pages that i have wont work like index.php?page=guestbook?page=whatever, so i need it to be index.php?page=guestbook.php?page=whatever... Anyyone understand?

    <?php
    if(empty($_GET['page']))
    {
    include("includes/news.html");
    }
    elseif(file_exists("includes/".$_GET['page'].".html"))
    {
    include("includes/".$_GET['page'].".html");
    }
    elseif(file_exists("includes/".$_GET['page'].".php"))
    {
    include("includes/".$_GET['page'].".php");
    }
    else
    {
    ?>
    Please visit http://www.thickandthinpizza.com and tell me what you think.

  • #2
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    I vaguely understand what you want to do and will point out that the code you have is just begging for a hacker to exploit.

    You should always clean your input before executing it.

  • #3
    Regular Coder
    Join Date
    Aug 2002
    Posts
    264
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Right now, when I want to go on a page i do index.php?page=page

    but i need it to be: index.php?page=page.html or .php so that it requires me to put in the extension
    Please visit http://www.thickandthinpizza.com and tell me what you think.

  • #4
    Regular Coder
    Join Date
    Jun 2002
    Location
    Sheffield, UK
    Posts
    552
    Thanks
    0
    Thanked 0 Times in 0 Posts
    either name all your files .php, or set up your server to parse .html as php and name them all as .php, problem solved.

    BTW carl, where's a hacker gonna exploit in that??
    "To be successful in IT you don't need to know everything - just where to find it in under 30 seconds"

    (Me Me Me Me Me Me Me Me Me)

  • #5
    Regular Coder
    Join Date
    Aug 2002
    Posts
    264
    Thanks
    0
    Thanked 0 Times in 0 Posts
    what??
    Please visit http://www.thickandthinpizza.com and tell me what you think.

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    frankfurt, german banana republic
    Posts
    1,848
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Readme.txt, have you ever tried to put the null byte in the query string, hm? Most interesting effects occur in both file_exists and include - with the effect of enabling a cracker to fetch whatever file PHP may fetch from the filesystem. That's what I consider to be an exploit.

    thickandthin, I think you need to be more descriptive with your last question. Besides, as others have said, your current solution is wide open and needs to be retailored. Put the file names you want to include into an array and use a telling name as the key. Pass this name through the query string, check if it exists as a key in your filenames array, and if so, include the filename associated with that key. Simple, easy to maintain, and secure.
    De gustibus non est disputandum.

  • #7
    Regular Coder
    Join Date
    Aug 2002
    Posts
    264
    Thanks
    0
    Thanked 0 Times in 0 Posts
    did i mention i didnt know php... lol my freind made it for me, basically all i need is instead of putting index.php?page=thepage i have to put the file ext like index.php?page=thepage.php
    Please visit http://www.thickandthinpizza.com and tell me what you think.

  • #8
    Regular Coder
    Join Date
    Oct 2003
    Posts
    603
    Thanks
    2
    Thanked 1 Time in 1 Post

    ...

    set up a redirect page like this sort of

    PHP Code:
    <?php
       
    if($_GET['page'] == "page1"){
           
    header("location: page1.html");
    }
       if(
    $_GET['page'] == "page2")}
           
    header("location: page2.html");
    }
    ?>
    etc, etc... just change the page1 and page2 to actual pages.

  • #9
    Regular Coder
    Join Date
    Aug 2002
    Posts
    264
    Thanks
    0
    Thanked 0 Times in 0 Posts
    is that secure?
    Please visit http://www.thickandthinpizza.com and tell me what you think.

  • #10
    Senior Coder Len Whistler's Avatar
    Join Date
    Jul 2002
    Location
    Vancouver, BC Canada
    Posts
    1,323
    Thanks
    26
    Thanked 100 Times in 100 Posts
    thickandthin....you should get a book on PHP and start with the basic stuff. Then progress to the more difficult PHP programing.

    No matter what answers you get on this post you will not understand it.

    Leonard Whistler
    www.stubby.ca

  • #11
    New Coder
    Join Date
    Oct 2003
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    switch is good

    PHP Code:
    switch ($page) {

        case 
    "members" :
            include (
    'members_page.html');
            break;

        case 
    "news" :
            include (
    'news_page.html');
            break;

        case 
    "downloads" :
            include (
    'dl_page.html');
            break;

        default :
            include (
    'news.html');
            break;
    }; 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •