ok well on my website we use a basic php code that displays a page in on the layout decided by the inputted page name like

?page=contact
heres the code we use

Code:

<?php
$pool = @include($_GET['page'] . ".php");
if (!$pool) { include("news/show_news.php"); }
?>

and the danger of this is that apperntly someone can enter other url;s in the varible and do things like launch attacks and other un wanted things. i was told theres some kind of IF statement or something you can use to only make it display internal pages or only pages specified. but i dont know what this code is, any help is appreciated

~scoot

Scoot,

I am not aware of the code to which you are referring, but you could writ e something more secure for yourself. Create some random numbers -- let's say 57, 412, 3088, 5699

Then map each of those to a page. So in $_GET[page], you'll just pass a number and it provides you the security that user input cannot short-circuit your logic. Then:

PHP Code:


$pageNum = $_GET[page];

if( ! empty ($pageNum) )
{
    $includeFile = mapPg( $pageNum );
    include( $includeFile );
}


function mapPg( $v )
{
    $page = "";

    switch( $v )
    {
        case 57:  $page = "something1.php"; break;
        case 412:  $page = "something2.php"; break;
        case 3088:  $page = "something3.php"; break;
        case 5699:  $page = "something4.php"; break;
        default:  $page = "error.php"; break;
    }
    return $page;


} 


I am not really sure why you would do it this way and not just store everything in arrays and call to it when needed based on $_POST['criteria']

Moved to the php board.

Quote:

Originally Posted by techniner

I am not really sure why you would do it this way and not just store everything in arrays and call to it when needed based on $_POST['criteria']

tehniner,

This was just an idea that will require very little code change from the current mechanism but does provide some security from malicious code. Please post your code ideas as an alternative.