Results 1 to 8 of 8

Thread: php - quick safety check on a get input (reading a file)

  1. #1
    Editable... jimbouk's Avatar
    Join Date
    Aug 2005
    Location
    Bristol
    Posts
    2,811
    Thanks
    244
    Thanked
    238 times in 191 posts
    • jimbouk's system
      • Motherboard:
      • Asrock B450M-HDV R4.0
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4 3200 MHz C16
      • Storage:
      • Sabrent Rocket Q 1TB NVMe PCIe M.2 2280
      • Graphics card(s):
      • Sapphire Pulse RX 580 8GB
      • PSU:
      • Seasonic Core Gold GC-650
      • Case:
      • Lian-Li PC-V1100 ATX
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • AOC CU34G2/BK 34" Widescreen
      • Internet:
      • EE FTC

    php - quick safety check on a get input (reading a file)

    I'm using a get on a address to get (part) of a file to open, eg:

    index.php#newpage

    index.php contains the header, footer, nav menu, etc and newpage is part of a filename (in a folder, has an extension). I want to do a few simple checks before opening the file, so far I have:

    PHP Code:
    if (isset($_GET['page']) && 
        
    preg_match('/[^a-z0-9_]/'$_GET['page']) == && 
        
    file_exists('folder/'.$_GET['page'].'.extension') ) 
    If any check fails, it loads the home page. File names will only include lower case characters, numbers and underscores (hence the regex). Can anyone think of anything else that needs to be done, or any problems with what I've got so far?

    Cheers!

  2. #2
    Large Member
    Join Date
    Apr 2004
    Posts
    3,720
    Thanks
    47
    Thanked
    99 times in 64 posts

    Re: php - quick safety check on a get input (reading a file)

    Are you doing somthing special to get the hash value back to the server? If you are it should not appear in the GET array in any case, and generally when standard links are clicked with a href value of a url ending with #xxx, most browsers will not make a GET request to the server.
    To err is human. To really foul things up ... you need a computer.

  3. #3
    Editable... jimbouk's Avatar
    Join Date
    Aug 2005
    Location
    Bristol
    Posts
    2,811
    Thanks
    244
    Thanked
    238 times in 191 posts
    • jimbouk's system
      • Motherboard:
      • Asrock B450M-HDV R4.0
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4 3200 MHz C16
      • Storage:
      • Sabrent Rocket Q 1TB NVMe PCIe M.2 2280
      • Graphics card(s):
      • Sapphire Pulse RX 580 8GB
      • PSU:
      • Seasonic Core Gold GC-650
      • Case:
      • Lian-Li PC-V1100 ATX
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • AOC CU34G2/BK 34" Widescreen
      • Internet:
      • EE FTC

    Re: php - quick safety check on a get input (reading a file)

    Oops, mistyped the link, should be index.php?page=newpage - you're right the previous one wouldn't have done much!

  4. #4
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,230
    Thanked
    2,291 times in 1,874 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: php - quick safety check on a get input (reading a file)

    Can't see any problems as such, but it looks like a long way to go to create a set of pages. Particularly, I don't know how well it'll get indexed by search engines as all the links point to the same page.

    I assume there's an include($_GET['page']); further down the code which loads the content for the appropriate page?

    One option would be to rename your index.php to something like template.php, then have a separate php file for each page which sets a variable (e.g. pagename) to the path of your page then includes template.php. Then in template.php, instead of having include($_GET['page']);, you have include(pagename);. That way you have separate URLs for every page, you don't have to worry about code injection etc as you're not processing the querystring or post variables at all, but you still get the benefit of having a single page to template your site. It's the approach I used on http://www.realsolutions.org.uk...

  5. #5
    Editable... jimbouk's Avatar
    Join Date
    Aug 2005
    Location
    Bristol
    Posts
    2,811
    Thanks
    244
    Thanked
    238 times in 191 posts
    • jimbouk's system
      • Motherboard:
      • Asrock B450M-HDV R4.0
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4 3200 MHz C16
      • Storage:
      • Sabrent Rocket Q 1TB NVMe PCIe M.2 2280
      • Graphics card(s):
      • Sapphire Pulse RX 580 8GB
      • PSU:
      • Seasonic Core Gold GC-650
      • Case:
      • Lian-Li PC-V1100 ATX
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • AOC CU34G2/BK 34" Widescreen
      • Internet:
      • EE FTC

    Re: php - quick safety check on a get input (reading a file)

    Quote Originally Posted by scaryjim View Post
    Can't see any problems as such, but it looks like a long way to go to create a set of pages. Particularly, I don't know how well it'll get indexed by search engines as all the links point to the same page.
    Seems like a long way for a shortcut, but (a) I was tired of updating every page everytime the contents list/other 'template' features change and (b) better safe than sorry when outputting the contents of a file on the web!

    Quote Originally Posted by scaryjim View Post
    I assume there's an include($_GET['page']); further down the code which loads the content for the appropriate page?
    Indeed, either gets the content for the appropriate page, the else just gets the home page.

    Quote Originally Posted by scaryjim View Post
    One option would be to rename your index.php to something like template.php, then have a separate php file for each page which sets a variable (e.g. pagename) to the path of your page then includes template.php. Then in template.php, instead of having include($_GET['page']);, you have include(pagename);. That way you have separate URLs for every page, you don't have to worry about code injection etc as you're not processing the querystring or post variables at all, but you still get the benefit of having a single page to template your site. It's the approach I used on http://www.realsolutions.org.uk...
    Yeah, each page including the template would be the other (probably better) way of doing it. Not sure what search engines would make of my method(?) Maybe have to redesign on the next update!

  6. #6
    Not a good person scaryjim's Avatar
    Join Date
    Jan 2009
    Location
    Gateshead
    Posts
    15,196
    Thanks
    1,230
    Thanked
    2,291 times in 1,874 posts
    • scaryjim's system
      • Motherboard:
      • Dell Inspiron
      • CPU:
      • Core i5 8250U
      • Memory:
      • 2x 4GB DDR4 2666
      • Storage:
      • 128GB M.2 SSD + 1TB HDD
      • Graphics card(s):
      • Radeon R5 230
      • PSU:
      • Battery/Dell brick
      • Case:
      • Dell Inspiron 5570
      • Operating System:
      • Windows 10
      • Monitor(s):
      • 15" 1080p laptop panel

    Re: php - quick safety check on a get input (reading a file)

    Well, for the real solutions site, each actual page (e.g. index.php) is all of three lines of code. One creates and sets a variable for the page title, one creates and sets a variable for the content source file, and one 'includes' a page called master.php.

    master.php, however, doesn't contain the whole layout either It contains the basic skeleton of the page, so pretty much the html, head (where it drops in the page title set in the actual page), and body elements and about three or four divs which define the overall layout. Each of those divs then contains one or more include statements to separate PHP files containing the splash header, the menu, the footer, etc... and also the content file set up in the previous page.

    That way if i want to change the footer I don't have to open up a long template file and scroll to the bottom: I can just edit a file with 3 lines of html in it. And it guarantees that I don't mess up any of the rest of the template at the same time.


    Anyway, that's a bit by the by, even if it'd make a nice little project for you sometime

    As to your original concept: how about having an associative array of titles to file paths, like

    PHP Code:
    $filepaths = array(
        
    "about"=>"path/to/about.php"
        
    "home"=>"path/to/home.php"
        
    "contact"=>"path/to/contact.php"

    Then instead of concatenating the newpage variable into the path, you could look the path and filename up in the array:

    PHP Code:
    filepaths[$_GET['page']]) 
    That way if someone tried to put something sneaky into the querystring it'd simply fail to find a matching path and you could load the default page.
    Last edited by scaryjim; 07-02-2011 at 04:33 PM.

  7. #7
    Large Member
    Join Date
    Apr 2004
    Posts
    3,720
    Thanks
    47
    Thanked
    99 times in 64 posts

    Re: php - quick safety check on a get input (reading a file)

    Look at mod_rewrite if its available to you and you want to use a nice RESTful approach.
    To err is human. To really foul things up ... you need a computer.

  8. #8
    Editable... jimbouk's Avatar
    Join Date
    Aug 2005
    Location
    Bristol
    Posts
    2,811
    Thanks
    244
    Thanked
    238 times in 191 posts
    • jimbouk's system
      • Motherboard:
      • Asrock B450M-HDV R4.0
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4 3200 MHz C16
      • Storage:
      • Sabrent Rocket Q 1TB NVMe PCIe M.2 2280
      • Graphics card(s):
      • Sapphire Pulse RX 580 8GB
      • PSU:
      • Seasonic Core Gold GC-650
      • Case:
      • Lian-Li PC-V1100 ATX
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • AOC CU34G2/BK 34" Widescreen
      • Internet:
      • EE FTC

    Re: php - quick safety check on a get input (reading a file)

    Oooo fancy, might have to look into that

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 63
    Last Post: 14-11-2011, 09:17 AM
  2. Nero vision express saying:'Burn process failed'
    By johnnr892 in forum Help! Quick Relief From Tech Headaches
    Replies: 15
    Last Post: 11-12-2005, 11:43 PM
  3. Dodgy DVD-r's ?
    By starside in forum Help! Quick Relief From Tech Headaches
    Replies: 12
    Last Post: 27-03-2005, 06:11 PM
  4. Writing to a file. (PHP)
    By Nasimov in forum Software
    Replies: 3
    Last Post: 04-05-2004, 08:20 PM
  5. Java file reading and Stroing in array
    By Basher in forum Software
    Replies: 16
    Last Post: 07-04-2004, 09:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •