dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
5

Ashke
Flips page and continues reading
Premium Member
join:2007-09-11
Minneapolis, MN

Ashke to cdru

Premium Member

to cdru

Re: Please help me make something like site.com/?p=pagetwo

said by cdru:

said by Ashke:

So how would you recommend to sanitize it?

At a minimum, I'd strip out any non-alpha-numeric characters. I'd also put all the articles or pages in a subdirectory and force that path to be prepended to the page you're building. By stripping out characters, you prevent a path of "../path/to/some/other/file" from being the parameter. It just gets becomes "pathtosomeotherfile" which won't exist.
said by Ashke:

So I should do something like generateMenu()?

That's just a helper function the author of that post created. What he's outlined in his post is a very crude template system. It will work, but it's...crude. If you're trying to learn PHP, then there's nothing wrong with that. If you're doing some rinky dink website to just play around, then there's nothing wrong with that. If you're looking to do this with a real website, you might want to read up more with PHP and get a better understanding of how things work.

So... How about something like this?

index.php
<?php require_once('engines/genMenu.php'); ?>
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title><?php echo substr($_SERVER['REQUEST_URI'],1) ?></title>
 
<link rel="stylesheet" type="text/css" href="../css/main.css"/>
</style>
</head>
 
<body>
<div id="header">
<?php require_once('include/header.php'); ?>
</div>
<div id="content">
<?php 
$default = 'error404'; //Default page
$page = isset($_GET['p']) ? $_GET['p'] : $default; //Checks if ?p exists.
$page = basename($page); //Gets the name only, Not directory.
if (!file_exists($page.'.php'))    { //Checks if the file doesn't exist 
$page = $default; //If it doesn't, it'll revert back to the default page 
}
require($page.'.php'); //And now it's on your page!
?>
</div>
</body>
</html>
 

header.php
<div id="header">
<h1>Robert Plagge</h1>
<h2>What exists about me... Ye can't know!</h2>
<div class="nav">
<?php generateMenu() ?>
</div>
</div>
 

genMenu.php
<?php
$menu = array(); 
$menu['home'] = 'Home';
$menu['about'] = 'About';
$menu['contact'] = 'Contact Me';
$menu['sitemap'] = 'Site Map';
//Add in the format of: $menu['page name'] = 'Page Title'; 
 
$title='Home'; //Default title 
 
function generateMenu()    { 
global $menu,$default,$title; 
$error = '<span class="error">There has been an error</span>';
echo '    <ul>'; 
$p = isset($_GET['p']) ? $_GET['p'] : $default; 
foreach ($menu as $link=>$item)    { 
$class='';
$newLink = $link;
if(filter_var($newLink, FILTER_SANITIZE_STRING)){
 
if ($link==$p)    { 
$class=' class="selected"'; 
$title=$item; 
}
}
else{
die($error);
}
echo '<li><a href="?p='.$link.'"'.$class.'>'.$item.'</a></li>'; 
} 
echo '</ul>';
} 
?>
 

cdru
Go Colts
MVM
join:2003-05-14
Fort Wayne, IN

cdru

MVM

Don't worry about generating the menu. The sanitizing of the input there doesn't really matter as you aren't loading scripts/resources based on the query string.

The use of basename() in line 20 of your index page prevents directory traversal. It still would allow for other php to be called though even though you may not want them to be. I'd put all your content pages in a subdirectory (e.g. "pages") and only have content pages there. So change line 20 to
$page = "pages\".basename($page); 
 

Ashke
Flips page and continues reading
Premium Member
join:2007-09-11
Minneapolis, MN

Ashke

Premium Member

Awesome! Thanks for helping out!

Sorry it took me a while to respond. I've been swamped with work and other stuff, including web dev.