I have an easy navigation system built with links like this:

PHP Code:

<!-- navigation -->
<a href="?page=bio">bio</a>
 
<!-- content -->
<?php 
$page = @$HTTP_GET_VARS["page"];
switch ($page) {
case "bio": include("bio.php"); break;
case "photo": include("photo.php"); break;
case "contact": include("contact.php"); break;
// default switch //
default: include("empty.php");
}
?>

So the content can change by clicking the link.
Now I was asking myself... what if I have lots of links to add... like in a blog, with lots of links to add daily.
So than you always have to add a line in the case-structure too... double work?
Is there a solution for that problem?
An easy one?

Could you put that in tags? It makes the code more simple to read.

Yes there if, I believe the solution your looking for is:

PHP Code:

<?php
$page = $_GET['page'];
if($page == "config"){ // block bad pages
} else { // the page does not do anything bad. 
if(@include("$page")){ // if it can be included.
} else {
include("empty.php");
}
}

*adds talkupation ++*

Okay, so something like this would also work?

PHP Code:

<a href="?page=test">test</a>
 
 
<?php 
$page = $_GET['page']; 
if (empty($page)) { 
include ("empty.php"); 
} else { 
include("$page.php"); 
} 
?>

Because the config part looks not familiar for me. Also the @include. (i'm still learning php basics)

Do I have to add .php in this example above ?

That should work fine.

Though on a security note, it's very insecure to include exactly what the user says. For example if I felt evil and wanted to mess about with your page, I could change the URL query (?page=bit) to a root file, or something similar.

Oh, and putting '@' means it will check if the function runs, for example if I wanted to check if a file existed i would put

PHP Code:

if(@file_exists("config.php") == TRUE){ // if the file is found (with not errors if not found cause it's using the @)
// do some stuff to the file
} 


Also, thanks for the Talkupation!

And what do you have to type between
{ // do some stuff to the file }
to protect the system?<br><br>And what would it give when you surf to something like ?page=bit<br>It will give an error because that file doesn't exist?<br>And what do you have to put in config.php ? <br><br>I'm such a security n00b <br>

So my first example with cases is also unsecure?

I have to put this instead?

PHP Code:

 
<?php 
$page = $_GET['page']; 
if (@file_exists("config.php") == TRUE) { 
echo "Error!";
} ifelse (empty($page)) { 
include ("empty.php"); 
} else { 
include("$page.php"); 
} 
?> 
 
 
or
 
<?php 
$page = $_GET['page']; 
if (@file_exists("config.php") == TRUE) { 
echo "Error!";
} ifelse {
include("$page.php");
} else (empty($page)){
include ("empty.php");
}
?>

It still gives an error when i make it "page=bit" in the adress bar.

Firstly:

Quote:

Originally Posted by Bulevardi

PHP Code:

} ifelse (empty($page)) { 


Ifelse? Surely you mean elseif:

PHP Code:

} elseif (empty($page)) { 


Secondly, your second example (after the 'or') doesn't make logical sense as your ifelse [sic] doesn't contain anything.

My advice use option one, and correct it like so:

PHP Code:

<?php 
$page = $_GET['page']; 
if (@file_exists("config.php") == TRUE) { 
echo "Error!";
} elseif (empty($page)) { 
include ("empty.php"); 
} else { 
include("$page.php"); 
} 
?>

Actually, I would also consider not having a default setting; otherwise one could in theory get the page to load a spam page or something else malicious; just use a series of elseif()s to allow only a set range of pages, if it is possible and convienient, of course.

Quote:

Originally Posted by Foundationflash

Ifelse? Surely you mean elseif:

Yeah, I know, it was a mistake.

I tried the code you posted, but I always got the error "Error!" written on my screen.

I tried it with several ways, but always Parse Errors, T_IS_EQUAL, T_VARIABLE, expected and unexpected { and ('s, ...

Quote:

Originally Posted by Foundationflash

Actually, I would also consider not having a default setting; otherwise one could in theory get the page to load a spam page or something else malicious; just use a series of elseif()s to allow only a set range of pages, if it is possible and convienient, of course.

But if they change, they only get the change on their screen... they can 't change the pages on my server?
I can 't see how they can do something evil with it...


You mean I have to do it like this: with the elseif things:

PHP Code:

<?php 
                    if (isset($_GET['page'])) 
                    { 
                        if($_GET['page']=='home') 
                        { 
                            include('home.php'); 
                        } 
                        elseif($_GET['page']=='news') 
                        { 
                            include('news.php'); 
                        } 
                        elseif($_GET['page']=='links') 
                        { 
                            include('links.php'); 
                        } 
                    } 
                ?>

But than it's quite the same as the SWITCH trick in my first post.
Is it also unsecure with the SWITCH trick?

I think this is a case of misunderstanding.

Quote:

Originally Posted by Bulevardi

I tried the code you posted, but I always got the error "

Quote:

Originally Posted by Bulevardi

Error!" written on my screen.

The bit about @file_exists() was just an example I think, *rereads it*, yes, just strip that bit out, or it will always do that (if it does exist).

Quote:

But if they change, they only get the change on their screen... they can 't change the pages on my server?

True. But they can display other pages (on their site etc) and kind of cover it up by viewing through a legitimate site such as your own.

Quote:

Is it also unsecure [sic] with the SWITCH trick?

I don't think it is insecure. By the way, who said it was insecure? I would do it with a SWITCH myself.

For the code, here you go (one way of doing it). I don't use a SWITCH, but you could just as easily:

PHP Code:

 <?php 
$page = $_GET['page']; 
if (empty($page)) { 
include ("empty.php"); 
} elseif($page == "page1" || $page == "page2" || $page == "page3"){ 
include("$page.php"); 
} 
?>