[solved] Simple include problem

[TarantinoArchives]

Hello there.
I am not much of a php programmer, all i can do is do some simple things after reading tutorials (as of yet).

I have a site (malls.tarantino.info) which has one index.php file and several other .htm files that are included into index.php by this script:

<?php if (!isset($id)) {
   include("main.htm"); }
   else include($id.".htm"); ?>

so basically it includes the main site, and when you click on a link like malls.tarantino.info/index.php?id=books then it woul include books.htm

this worked perfectly fine, but i moved server, and i am on php 4.3 or something and now it doesnt work anymore? anyone got an idea? or even an idea for a more nifty way of doing this?

[Shoeb Omar]

change all instances of $id to $_GET['id']

It has to do with auto_globals which you were using, it's a security worry so your new server has that directive turned off.

[TarantinoArchives]

thank you! that worked.

wait.... aren't you from the YaBB crew? ;-)

thanks again

[Shoeb Omar]

thank you! that worked.

wait.... aren't you from the YaBB crew? ;-)

thanks again

lol Yes I am .

I hang out in both places, we have common roots ^.^

[TarantinoArchives]

I switched from Yabb to SMF, just couldnt wait anymore ;-) but yabb gold was great, but as it is right now it cant compete with SMF i think. but i am looking forward to yabb2.
keep up the good work

[Shoeb Omar]

I switched from Yabb to SMF, just couldnt wait anymore ;-) but yabb gold was great, but as it is right now it cant compete with SMF i think. but i am looking forward to yabb2.
keep up the good work

lol, I won't deny that.  Check out which forum I use on my personal site

[[Unknown]]

lol, I won't deny that.  Check out which forum I use on my personal site

A *really old* version of SMF ?

<?php if (!isset($id)) {
   include("main.htm"); }
   else include($id.".htm"); ?>

This is just a suggestion, but I find it's a lot easier to read and find problems in code when it's formatted the way I like it.  Then again, maybe it's just me...

<?php

if (!isset($_GET['id']))
   include('main.htm');
else
   include($_GET['id'] . '.htm');

?>

Now, see, to me this is a lot more readable.  When looking at the other one, I wasn't sure what it did.  It seemed to include a different file based on if you have something in the URL... or something.  But, with this one, I can see: it either includes main.htm or $id + .htm.

But, I might suggest you implement some security here .  It's possible someone could try to access a restricted site with this - for example, they might but id=admin/index - and they'd get your admin page - if you had one.  Having the .htm there is quite a good step, but I usually like to clean it up like this:

Code Select Expand

<?php

if (!isset($_GET['id']))
include('main.htm');
else
{
$_GET['id'] = strtr($_GET['id'], '/:\\', '___');

if (file_exists($_GET['id'] . '.htm'))
include($_GET['id'] . '.htm');
else
include('main.htm');
}

?>

So, what we've done here is to make it so /, \, and : are all replaced by _ in $_GET['id'].  This way, no one can put paths into your include .  Next, we've checked to make sure the file actually exists before including it - this way, if something goes wrong, at least they won't get an error message from PHP.

However, if id is always supposed to be a number... it's easier.  Like so:

Code Select Expand

<?php

if (empty($_GET['id']))
include('main.htm');
else
{
$_GET['id'] = (int) @$_GET['id'];

if (file_exists($_GET['id'] . '.htm'))
include($_GET['id'] . '.htm');
else
include('main.htm');
}

?>

Here, there are two major changes.  I changed !isset to empty, because now we don't want to accept it even if they put id=0.  Next, I changed the part that replaces things to simply FORCE the id to be a number.  Now, it can't have ANYTHING in it except a number - isn't that great?

True, it's a bit longer... but it also looks cleaner and offers better security.  Just food for thought - if you start thinking this way now, it'll come easier .

-[Unknown]

[Shoeb Omar]

lol, I won't deny that.  Check out which forum I use on my personal site

A *really old* version of SMF ?

-[Unknown]

I'm too lazy to update

[TarantinoArchives]

thanks unknown, you're turning me into a PHP crack.
but now i gotta change all my html pages into whatevernumber.htm because it can only be a number, right?

would you suggest doing something like this:

switch (whatever, help me out)
{
case $_GET['id']=5:
     include crap.htm
case $_GET['id']=2;
     include snap.htm
//whatever pages I got
default:
    include main.htm
}

?
That would be a  way to only use numbers, right? I'd just have to update this list of filenames. The problem I'd imagine when using files like 5.htm or 2234.htm is I'd have no clue what they're about when editing them in dreamweaver.

thanks for your imput, incredible stuff there

[kegobeer]

You could load all the page names into a numbered array to make it easier to call:

$pages = array(
1 => 'blank.htm',
2 => 'home.htm'
);

include $pages[$_GET['id']];

[[Unknown]]

Well, the one that allows anything (not just numbers) should be okay.  It's still secure, it's just that using numbers or something like that is a lot cleaner/better.

But, don't worry, you should be able to use the other block of code I gave and not use numbers.

-[Unknown]

[TarantinoArchives]

thanks guys. i am impressed by how fast and skillful you are able to help newbies like me while you are programming SMF in the meantime. wowsers

keep up the great work guys