dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1542
share rss forum feed


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

Please help me make something like site.com/?p=pagetwo

I apologize if this similar issue was already posted by someone else, I couldn't find it by searching for something with /?p= so I wanted to post one so I can get help with this. Please let me know if this was already posted by someone else.

Ok... here's what I'm trying to do...

I'm trying to create a PHP based template using PHP to generate pages and I'm really lost. I found this tutorial - http://tinyurl.com/aul5pbd and it proves to be really useful... However, I think I may be overlooking something or something that the tutorial said wasn't right. Can someone help me out?

Here's what I'm trying to do...

Generate a site that uses one page ie: index.html.

1) When the page loads, it will look for the default file and load it using require($foo).
2) When I want to click on one of the links in my nav bar, I want it to load that specific file onto this page. The link will point to and send me to site.com/?p=pagetwo and load the pagetwo.php into the page without literally putting .php on the end of the URI.

Here's what I have.

index.php

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="refresh" content="10" />
<title><?php echo substr($_SERVER['REQUEST_URI'],1) ?></title>
</head>
 
<body>
<?php 
$default = 'home'; //Whatever default page you want to display if the file doesn't exist or you've just arrived to the home page. 
$page = isset($_GET['p']) ? $_GET['p'] : $default; //Checks if ?p is set, and puts the page in and if not, it goes to the default page. 
$page = $_SERVER['REQUEST_URI']; //Gets the page name only, and no directories. 
if (!file_exists($page.'.php'))    { //Checks if the file doesn't exist 
$page = $default; //If it doesn't, it'll revert back to the default page 
//NOTE: Alternatively, you can make up a 404 page, and replace $default with whatever the page name is. Make sure it's still in the inc/ directory. 
}
require('/'.$page.'.php'); //And now it's on your page!
echo $page;
?>
</body>
</html>
 

pagetwo.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="refresh" content="10" />
<title><?php echo substr($_SERVER['REQUEST_URI'],1) ?></title>
</head>
 
<body>
<div id="header">
<?php include 'include/header.html'; ?>
</div>
<div id="content">
<h1><?php echo $_SERVER['REQUEST_URI']; ?>
<p>Lorem ipsum dolor... yada yada yada...</p>
</div>
</body>
</html>
 

So far in the index.php page, the echo $page; from line 21 is showing "home" and not the content of the pagetwo, so it's telling me that the php code isn't working. Can someone help me out?

--
-Ashke


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

Never mind.... I figured out where I left an error.

In line 12 of index.php, I was supposed to have

$page = basename($page);
 

Not

$page = $_SERVER['REQUEST_URI'];
 

*faceslams onto keyboard*

--
-Ashke


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
reply to Ashke

said by Ashke:

So far in the index.php page, the echo $page; from line 21 is showing "home" and not the content of the pagetwo, so it's telling me that the php code isn't working. Can someone help me out?

The PHP code is working exactly as it was programmed. Don't mistake the php code not working for you not telling it what you really want to do. :)

Comment out line 12 and I bet your problem disappears.

Attempting to head off problems before they become them, what you are implementing is bad for several reasons. One is security reason because you are passing into PHP unsanitized parameters. Any time you use a user inputted string for building a path or creating a command it should be sanitized in some form to limit what it can do. As it is now, I can pass in anything to request any file with a php extension, regardless if I should be able to access that file and path.

The other thing is more practical. Search engine optimization best practices say not to use query strings as you are using them. It's better to put them in the path and not query string. something like example.com/article/pagetwo is better. URL rewriting can take care of getting rid of the php from the user displayed URL.


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

So how would you recommend to sanitize it?
--
-Ashke



Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN
reply to cdru

said by cdru:

said by Ashke:

So far in the index.php page, the echo $page; from line 21 is showing "home" and not the content of the pagetwo, so it's telling me that the php code isn't working. Can someone help me out?

The PHP code is working exactly as it was programmed. Don't mistake the php code not working for you not telling it what you really want to do. :)

Comment out line 12 and I bet your problem disappears.

Attempting to head off problems before they become them, what you are implementing is bad for several reasons. One is security reason because you are passing into PHP unsanitized parameters. Any time you use a user inputted string for building a path or creating a command it should be sanitized in some form to limit what it can do. As it is now, I can pass in anything to request any file with a php extension, regardless if I should be able to access that file and path.

The other thing is more practical. Search engine optimization best practices say not to use query strings as you are using them. It's better to put them in the path and not query string. something like example.com/article/pagetwo is better. URL rewriting can take care of getting rid of the php from the user displayed URL.

So I should do something like generateMenu()?
--
-Ashke


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7
reply to Ashke

said by Ashke:

So how would you recommend to sanitize it?

At a minimum, I'd strip out any non-alpha-numeric characters. I'd also put all the articles or pages in a subdirectory and force that path to be prepended to the page you're building. By stripping out characters, you prevent a path of "../path/to/some/other/file" from being the parameter. It just gets becomes "pathtosomeotherfile" which won't exist.

said by Ashke:

So I should do something like generateMenu()?

That's just a helper function the author of that post created. What he's outlined in his post is a very crude template system. It will work, but it's...crude. If you're trying to learn PHP, then there's nothing wrong with that. If you're doing some rinky dink website to just play around, then there's nothing wrong with that. If you're looking to do this with a real website, you might want to read up more with PHP and get a better understanding of how things work.


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

So how would I do that?
--
-Ashke



cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

said by Ashke:

So how would I do that?

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.

Go here and search for "php sanitize input", "php regular expression", "php strip special characters", etc.

If you have specific problems or questions, we can help. And if you don't understand why something is (or isn't) working as it does we can try to explain. But we won't generally do your programming for you.


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

So much for help :P Just kidding... I guess I gotta do some work.

I'm just brand new to PHP and trying to construct a *.php website rather than using the old fashioned extension *.html.
--
-Ashke



Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN
reply to cdru

said by cdru:

[...]
Go here and search for "php sanitize input", "php regular expression", "php strip special characters", etc.
[...]

The quote above reminds me of this particular webcomic link... http://xkcd.com/327/
--
-Ashke


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN
reply to cdru

said by cdru:

said by Ashke:

So how would you recommend to sanitize it?

At a minimum, I'd strip out any non-alpha-numeric characters. I'd also put all the articles or pages in a subdirectory and force that path to be prepended to the page you're building. By stripping out characters, you prevent a path of "../path/to/some/other/file" from being the parameter. It just gets becomes "pathtosomeotherfile" which won't exist.

said by Ashke:

So I should do something like generateMenu()?

That's just a helper function the author of that post created. What he's outlined in his post is a very crude template system. It will work, but it's...crude. If you're trying to learn PHP, then there's nothing wrong with that. If you're doing some rinky dink website to just play around, then there's nothing wrong with that. If you're looking to do this with a real website, you might want to read up more with PHP and get a better understanding of how things work.

So... How about something like this?

index.php
<?php require_once('engines/genMenu.php'); ?>
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title><?php echo substr($_SERVER['REQUEST_URI'],1) ?></title>
 
<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</style>
</head>
 
<body>
<div id="header">
<?php require_once('include/header.php'); ?>
</div>
<div id="content">
<?php 
$default = 'error404'; //Default page
$page = isset($_GET['p']) ? $_GET['p'] : $default; //Checks if ?p exists.
$page = basename($page); //Gets the name only, Not directory.
if (!file_exists($page.'.php'))    { //Checks if the file doesn't exist 
$page = $default; //If it doesn't, it'll revert back to the default page 
}
require($page.'.php'); //And now it's on your page!
?>
</div>
</body>
</html>
 

header.php
<div id="header">
<h1>Robert Plagge</h1>
<h2>What exists about me... Ye can't know!</h2>
<div class="nav">
<?php generateMenu() ?>
</div>
</div>
 

genMenu.php
<?php
$menu = array(); 
$menu['home'] = 'Home';
$menu['about'] = 'About';
$menu['contact'] = 'Contact Me';
$menu['sitemap'] = 'Site Map';
//Add in the format of: $menu['page name'] = 'Page Title'; 
 
$title='Home'; //Default title 
 
function generateMenu()    { 
global $menu,$default,$title; 
$error = '<span class="error">There has been an error</span>';
echo '    <ul>'; 
$p = isset($_GET['p']) ? $_GET['p'] : $default; 
foreach ($menu as $link=>$item)    { 
$class='';
$newLink = $link;
if(filter_var($newLink, FILTER_SANITIZE_STRING)){
 
if ($link==$p)    { 
$class=' class="selected"'; 
$title=$item; 
}
}
else{
die($error);
}
echo '<li><a href="?p='.$link.'"'.$class.'>'.$item.'</a></li>'; 
} 
echo '</ul>';
} 
?>
 

--
-Ashke


cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

Don't worry about generating the menu. The sanitizing of the input there doesn't really matter as you aren't loading scripts/resources based on the query string.

The use of basename() in line 20 of your index page prevents directory traversal. It still would allow for other php to be called though even though you may not want them to be. I'd put all your content pages in a subdirectory (e.g. "pages") and only have content pages there. So change line 20 to

$page = "pages\".basename($page); 
 


Ashke
Flips page and continues reading
Premium
join:2007-09-11
Minneapolis, MN

Awesome! Thanks for helping out!

Sorry it took me a while to respond. I've been swamped with work and other stuff, including web dev.
--
-Ashke