Results 1 to 16 of 16

Thread: Help with php!

  1. #1
    lazy student nvening's Avatar
    Join Date
    Jan 2005
    Location
    London
    Posts
    4,656
    Thanks
    196
    Thanked
    31 times in 30 posts

    Help with php!

    Hi,

    I've recently moved a site I'm developing to a new hosting provider, however now my navigation system is not working.

    What I had working before was a system where the page's content was included into index.php dependant on what $page was set to in the URL e.g. www.yourstives.co.uk/index.php?page=contact

    However I now cannot get this to work, it seems that it is not retrieving the variable from the URL as if I set the variable in the index it works fine.

    Here my code stripped down to the basics of what i'm trying to get working (it doesn't work like this either)

    index.php
    PHP Code:
    <?php include("pagelist.php");?>
    pagelist.php
    PHP Code:
    <?

        
    if(isset($page))

        {

            switch (
    $page)

            {

                case 
    "resturant":

                    include 
    "resturant.php";

                    break;

                case 
    "home":

                    include 
    "home.php";

                    break;                

                case 
    "search":

                    include 
    "search.php";

                    break;

                case 
    "contact":

                    include 
    "contact.php";

                    break;

                case 
    "tips":

                    include 
    "tips.php";                

                    break;                

                default:

                    print(
    "<h1>Site Error</h1>");

                    print(
    "<h3>404 Page Not Found</h3>");

                    print(
    "<p> The link you have chosen has not found a valid page, please return to the <a class=\"gen\" href=\"index.php\">home page</a>.</p>

                        Please check the link if you typed it yourself; use the <a class=\"gen\" href=\"index.php?page=contact\">

                        contact</a> form to inform the webmaster of a site error.</p>"
    );

            }    

        }

        else

        {
    print(
    "<h1>Site Error</h1>");
            include 
    "home.php";

        }

    ?>
    Is it possible I need to enable something in my new hosting so variables can be retrieved from the URL or is there an error i'm missing?

    Thanks!
    (\__/)
    (='.'=)
    (")_(")

  2. #2
    Ah, Mrs. Peel! mike_w's Avatar
    Join Date
    Oct 2003
    Location
    Hertfordshire, England
    Posts
    3,326
    Thanks
    3
    Thanked
    9 times in 7 posts

    Re: Help with php!

    Huh? Where are you getting $page from? Don't you need

    $page = $_GET['page']

    to get it to work as you want?

    Also, I'm sure you can do better than a load of switch cases. Perhaps something similar to:

    Code:
    if ( ($page == 'restaurant') || ($page == 'home') ) {
        include $page . '.php';
    } else {
        print("<h1>Site Error</h1>");
    
        print("<h3>404 Page Not Found</h3>");
    
        print("<p> The link you have chosen has not found a valid page, please return to the <a class=\"gen\" href=\"index.php\">home page</a>.</p>
    
                        <p>Please check the link if you typed it yourself; use the <a class=\"gen\" href=\"index.php?page=contact\">
    
                        contact</a> form to inform the webmaster of a site error.</p>"); 
    }
    "Well, there was your Uncle Tiberius who died wrapped in cabbage leaves but we assumed that was a freak accident."

  3. Received thanks from:

    nvening (15-10-2007)

  4. #3
    Senior Member GAteKeeper's Avatar
    Join Date
    Feb 2004
    Location
    Derbyshire, UK
    Posts
    582
    Thanks
    14
    Thanked
    28 times in 22 posts
    • GAteKeeper's system
      • Motherboard:
      • MSI P67-GD5
      • CPU:
      • Intel i7 2600k
      • Memory:
      • 8Gb Corsair DDR3 1600
      • Storage:
      • ~44TB
      • Graphics card(s):
      • 980Ti
      • PSU:
      • Seasonic S12 600W
      • Case:
      • Lian Li PC-65
      • Operating System:
      • Win10 64bit
      • Monitor(s):
      • Dell U3415W & 2405fpw
      • Internet:
      • 45Mb vDSL

    Re: Help with php!

    Doesnt that leave him open to cross site scripting attacks?
    Keeper of the Gates of Hell

  5. #4
    Gentoo Ricer
    Join Date
    Jan 2005
    Location
    Galway
    Posts
    11,048
    Thanks
    1,016
    Thanked
    944 times in 704 posts
    • aidanjt's system
      • Motherboard:
      • Asus Strix Z370-G
      • CPU:
      • Intel i7-8700K
      • Memory:
      • 2x8GB Corsiar LPX 3000C15
      • Storage:
      • 500GB Samsung 960 EVO
      • Graphics card(s):
      • EVGA GTX 970 SC ACX 2.0
      • PSU:
      • EVGA G3 750W
      • Case:
      • Fractal Design Define C Mini
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Asus MG279Q
      • Internet:
      • 240mbps Virgin Cable

    Re: Help with php!

    Quote Originally Posted by GAteKeeper View Post
    Doesnt that leave him open to cross site scripting attacks?
    Yup..

    @nvening: you're better off using redirects.

    But to fix your problem for now:

    Code:
    <?
        $page = $_GET["page"];
        if(isset($page))
        {
            switch ($page)
            {
                case "resturant":
                    include "resturant.php";
                    break;
                case "home":
                    include "home.php";
                    break;                
                case "search":
                    include "search.php";
                    break;
                case "contact":
                    include "contact.php";
                    break;
                case "tips":
                    include "tips.php";                
                    break;                
                default:
                    print("<h1>Site Error</h1>");
                    print("<h3>404 Page Not Found</h3>");
                    print("<p> The link you have chosen has not found a valid page, please return to the <a class=\"gen\" href=\"index.php\">home page</a>.</p>
                        Please check the link if you typed it yourself; use the <a class=\"gen\" href=\"index.php?page=contact\">
                        contact</a> form to inform the webmaster of a site error.</p>");
            }    
        }
        else
        {
            print("<h1>Site Error</h1>");
            include "home.php";
        }
    ?>
    Quote Originally Posted by Agent View Post
    ...every time Creative bring out a new card range their advertising makes it sound like they have discovered a way to insert a thousand Chuck Norris super dwarfs in your ears...

  6. #5
    NOT Banned
    Join Date
    Jan 2007
    Posts
    5,905
    Thanks
    412
    Thanked
    278 times in 253 posts

    Re: Help with php!

    most likely your new host has php5 installed which doesnt have globals on for more secure coding practices.
    Last edited by moogle; 12-10-2007 at 11:58 AM. Reason: mody = most -_-'

  7. #6
    www.dougmcdonald.co.uk
    Join Date
    May 2007
    Location
    Bath
    Posts
    523
    Thanks
    5
    Thanked
    20 times in 20 posts
    • DougMcDonald's system
      • Motherboard:
      • Asus P5B Deluxe
      • CPU:
      • Inter Core 2 Duo E6600
      • Memory:
      • 2 x 2GB - Geil Black Dragon PC6400
      • Storage:
      • 2 x 400GB Samsung Spinpoints (Running in Matrix array) 100GB @ RAID0 + 300GB @ RAID1
      • Graphics card(s):
      • BFG nVidia 8800GTS 320MB OC2
      • PSU:
      • Corsair HX520W modular
      • Case:
      • Lian-Li PC7 II Plus
      • Monitor(s):
      • LG 17" Flat Thingy
      • Internet:
      • Crappy BT 1MB Unreliable wank :s

    Re: Help with php!

    As previous post, this is caused by hosting turning globals off in php config.

    In order to secure the variable call a little more, you could verify the contents of variable to ensure it's within an acceptable set of boundaries, string length etc, or better still use an integer to identify the page, and verify that the variable is of type number.

  8. #7
    Ah, Mrs. Peel! mike_w's Avatar
    Join Date
    Oct 2003
    Location
    Hertfordshire, England
    Posts
    3,326
    Thanks
    3
    Thanked
    9 times in 7 posts

    Re: Help with php!

    Quote Originally Posted by GAteKeeper View Post
    Doesnt that leave him open to cross site scripting attacks?
    How so? We're still checking the value $page using

    Code:
    if ( ($page == 'restaurant') || ($page == 'home') ) {
    Although obviously that doesn't contain all of the possibilities, they're trivial to add! Normally, when I use includes, I check to make sure that there are no slashes in the string, since all the includes I use are in the same directory.
    "Well, there was your Uncle Tiberius who died wrapped in cabbage leaves but we assumed that was a freak accident."

  9. #8
    Gentoo Ricer
    Join Date
    Jan 2005
    Location
    Galway
    Posts
    11,048
    Thanks
    1,016
    Thanked
    944 times in 704 posts
    • aidanjt's system
      • Motherboard:
      • Asus Strix Z370-G
      • CPU:
      • Intel i7-8700K
      • Memory:
      • 2x8GB Corsiar LPX 3000C15
      • Storage:
      • 500GB Samsung 960 EVO
      • Graphics card(s):
      • EVGA GTX 970 SC ACX 2.0
      • PSU:
      • EVGA G3 750W
      • Case:
      • Fractal Design Define C Mini
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Asus MG279Q
      • Internet:
      • 240mbps Virgin Cable

    Re: Help with php!

    If you use that block of code on a site that doesn't do stripping the string could easily be overwritten for something else.
    Quote Originally Posted by Agent View Post
    ...every time Creative bring out a new card range their advertising makes it sound like they have discovered a way to insert a thousand Chuck Norris super dwarfs in your ears...

  10. #9
    lazy student nvening's Avatar
    Join Date
    Jan 2005
    Location
    London
    Posts
    4,656
    Thanks
    196
    Thanked
    31 times in 30 posts

    Re: Help with php!

    Hi,

    thanks mike_w, on my old server it didn't seem to need the $_GET for some reason??

    Anyway that's sorted now thanks!

    However i'm starting to look into options for creating a searching system for the site - because of the unusual (relatively) structure of the site i'm not sure the best way of doing this.

    Is the best thing to do to use an indexing script such as Sphider and get it to index all the links from a single "page-list.php" file where the links are automatically generated from my database?

    Ive looked into scripts which directly search the database and although at first they would seem to be good they have limitations which make them impracticable, unless anyone knows of a more powerful script?
    (\__/)
    (='.'=)
    (")_(")

  11. #10
    Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, England
    Posts
    255
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Help with php!

    write one yourself? php is pretty easy to pick up, and if u do it yourslef u will have a clearer idea of how it works

  12. #11
    Senior Member
    Join Date
    Nov 2005
    Location
    Birmingham, England
    Posts
    255
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Help with php!

    also what about something like:

    $pages = $_GET['pages'];
    if(!isset($pages)) { include("nav/home.php"); }
    else { if (is_file("nav/$pages".".php")) { include("nav/$pages".".php"); } }

    its just something quick but easily customisable

  13. #12
    Member
    Join Date
    Dec 2006
    Location
    UK
    Posts
    163
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Help with php!

    hey??
    $_GET['pages']; leaves the site open to attacks? :O i never knew that, i use it for evrything. can someone please explain how it is a security issue??


    thanx

  14. #13
    NOT Banned
    Join Date
    Jan 2007
    Posts
    5,905
    Thanks
    412
    Thanked
    278 times in 253 posts

    Re: Help with php!

    Quote Originally Posted by hsncool View Post
    hey??
    $_GET['pages']; leaves the site open to attacks? :O i never knew that, i use it for evrything. can someone please explain how it is a security issue??


    thanx
    just insert page.php?pages=(malicious code or something here) and the script will run it without validating. Always do checking when geting data the user can modify.

  15. #14
    lazy student nvening's Avatar
    Join Date
    Jan 2005
    Location
    London
    Posts
    4,656
    Thanks
    196
    Thanked
    31 times in 30 posts

    Re: Help with php!

    Hi again

    Ive not really been working on this much recently but i have been trying to sort out the searching solution without much success and i cant even get sphider to work on my new hosting

    However through my research i think that i have worked out what i need but i need some guidance on where i should take it from here.

    Basicly i want to use the fulltext search feature of mysql - ive read a couple of articles and one gave this basic script but it goes on to say this cant because:
    I have done absolutely no error checking. The $query variable provides an easy opening for an intruder to input something nasty into your query that might destroy your data.
    Also im guessing its missing some key features to do with cleaning the search terms.

    So basically im just trying to work out whether im on the right track and maybe what i need to consider and if anyone knows of a much easier solution that would be good too!!

    One other thing, is the $_GET['pages'] issue sorted by what mike w said??

    Thanks!!

    This is the script i was talking about

    PHP Code:
    <?php
        
    /* call this script "this.php" */
        
    if ($c != 1) {
    ?>
    <form action="this.php?c=1">
    <input type="text" name="keyword">
    <input type="submit" value="Search!">
    </form>
    <?php
        
    } else if ($c==1) {
            
    MySQL_connect("hostname""username""password");
            
    MySQL_select_db("database");
            
    $sql "
                SELECT *,
                    MATCH(title, body) AGAINST('
    $keyword') AS score
                    FROM articles
                WHERE MATCH(title, body) AGAINST('
    $keyword')
                ORDER BY score DESC
            "
    ;
            
    $res MySQL_query($sql);
    ?>
    <table>
    <tr><td>SCORE</td><td>TITLE</td><td>ID#</td></tr>
    <?php
            
    while($row MySQL_fetch_array($rest)) {
                echo 
    "<tr><td>{$sql2['score']}</td>";
                echo 
    "<td>{$sql2['title']}</td>";
                echo 
    "<td>{$sql2['id']}</td></tr>";
            }
            echo 
    "</table>";
        }
    ?>
    (\__/)
    (='.'=)
    (")_(")

  16. #15
    Large Member
    Join Date
    Apr 2004
    Posts
    3,720
    Thanks
    47
    Thanked
    99 times in 64 posts

    Re: Help with php!

    Seems fine... except for $res and $rest. What's your question exactly?
    To err is human. To really foul things up ... you need a computer.

  17. #16
    HEXUS.social member Agent's Avatar
    Join Date
    Jul 2003
    Location
    Internet
    Posts
    19,168
    Thanks
    735
    Thanked
    1,607 times in 1,045 posts

    Re: Help with php!

    Quote Originally Posted by mike_w View Post
    How so? We're still checking the value $page using

    Code:
    if ( ($page == 'restaurant') || ($page == 'home') ) {
    Although obviously that doesn't contain all of the possibilities, they're trivial to add! Normally, when I use includes, I check to make sure that there are no slashes in the string, since all the includes I use are in the same directory.
    I am no PHP expert but I can't see how that could lead to XSS either?
    At no point does the variable get echoed / inserted on the page without validation. Its literally saying if $page = X, do Y. If the user feeds it some data that it doesn't fall into the different cases that have been set, it should just be ignored? I just can't see how the data could break out of the case statement?
    As the variable is being compared against a list of known good variables, with anything else being discarded, afaik it should be fine.

    Doing
    Code:
    $pages = $_GET['pages'];
    Echo $pages;
    Is entirely different though.
    Quote Originally Posted by Saracen View Post
    And by trying to force me to like small pants, they've alienated me.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. MySQL extension for PHP 5.2.3 not working
    By Jerrythafast in forum Help! Quick Relief From Tech Headaches
    Replies: 18
    Last Post: 13-06-2007, 08:03 PM
  2. php noob
    By j.o.s.h.1408 in forum Software
    Replies: 15
    Last Post: 23-05-2007, 10:37 AM
  3. PHP and file uploads timing out too soon
    By McClane in forum Software
    Replies: 12
    Last Post: 02-12-2006, 05:57 PM
  4. Replies: 13
    Last Post: 30-07-2005, 06:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •