|
 |
|
 |
02-08-2006, 06:10 AM
|
#1 (permalink)
|
|
Code Monkey
Join Date: Feb 2005
Posts: 64
|
Dynamic URLs
This $_GET stuff kinda confuses me. How do I translate variable value pairs into page destinations?
i.e. (..com/index.php?page=headlines) instead of (..com/news.html) in the address bar.
Alot of bboards utilize this, how is it done?  |
|
|
|
02-08-2006, 07:42 AM
|
#2 (permalink)
|
|
Java fanboy
Join Date: Aug 2003
Posts: 1,161
|
What happens is index.php acts as a controller (you might want to look up the Model-View-Controller design pattern). When a request comes in, the controller looks at the current state of the application, the session and the request, and then redirects the response accordingly. While I'm not sure what best-practices are in PHP regarding this, you can use the include() directive.
|
|
|
|
|
02-08-2006, 08:06 AM
|
#3 (permalink)
|
|
Moderator
Join Date: May 2002
Location: us.ca
Posts: 4,487
|
you mean like our thread urls in the forums here too?
we use mod rewrite. basically code in a .htaccess file that uses regular expressions to look for a pattern in the url and rewrite the request in the background. |
|
|
|
|
02-08-2006, 05:23 PM
|
#4 (permalink)
|
|
Senior Contributor
Join Date: Mar 2005
Posts: 673
|
|
|
|
|
|
02-09-2006, 01:30 AM
|
#5 (permalink)
|
|
Code Monkey
Join Date: Feb 2005
Posts: 64
|
As always, thanks for the replies. I think mod rewrite is exactly what I'm looking for.
I brought this up on another board I frequent and I was given suggestions using if/else or switch() with the $_GET superglobal to generate dynamic links that carry over to the next page. I couldn't follow the examples given because they were a little vague and I didn't see how the URL is supposed to remain dynamic once the new page was loaded, *shrugs* but I'm curious.. how does the above mentioned create the same effect as mod rewrite?
|
|
|
|
|
02-09-2006, 06:47 AM
|
#6 (permalink)
|
|
Moderator
Join Date: May 2002
Location: us.ca
Posts: 4,487
|
i'm not sure i understand the question. the above method is mod rewrite.
|
|
|
|
|
02-09-2006, 12:48 PM
|
#7 (permalink)
|
|
Newbie
Join Date: Jun 2002
Location: Denmark
Posts: 1,710
|
He wants to know how to make a dynamic page pressence, achieved due to a parsed $_GET argument, which resembles what you can achieve with mod-rewrite, only by having a "dynamic" page which has a switch() or if/else way of matching up against the parsed $_GET variabel.
Something like:
PHP Code:
<?php
$_url = $_GET['page'];
if($_url == "main")
include("main.php");
elseif ($_url == "contact")
include("contact.php");
else
include("default.php");
?>
Which can be rewritten to a more "dynamic presentation" with a few hoops.
PHP Code:
<?php
$_url = $_GET['page'];
if( is_file($_url . ".php") )
include ($_url . ".php");
else
include ("default.php");
?>
|
|
|
|
02-09-2006, 02:32 PM
|
#8 (permalink)
|
|
Senior Contributor
Join Date: Mar 2005
Posts: 673
|
Quote:
|
Originally Posted by redhead
Which can be rewritten to a more "dynamic presentation" with a few hoops.
PHP Code:
<?php
$_url = $_GET['page'];
if( is_file($_url . ".php") )
include ($_url . ".php");
else
include ("default.php");
?>
|
DON'T USE THIS OUT OF THE BOX!
Always validate input data. This means for all $_GET, $_POST, $_COOKIE and $_REQUEST.
For example i could exploit the above script by using:
index.php?page=/usr/etc/passwd%00
This would run as: include("/usr/etc/passwd%00.php");
Issue here is that %00 is NULL aka \0 and a string in C always end a \0.
So in this case it opens '/usr/etc/passwd' and the '.php' is not processed. |
|
|
|
|
02-09-2006, 06:21 PM
|
#9 (permalink)
|
|
Code Monkey
Join Date: Feb 2005
Posts: 64
|
For whatever reason, I couldn't understand this two days ago. It's clear now.
You guys rock.
|
|
|
|
|
02-09-2006, 09:01 PM
|
#10 (permalink)
|
|
Jack of all trades
Join Date: Feb 2005
Location: Los Angeles
Posts: 598
|
DJMaze, while I respect your quest for secure sites, and share your belief that all inputs should be validated, your specific example above is not true.
__________________
Stop intellectual property from infringing on me
|
|
|
|
|
02-09-2006, 10:41 PM
|
#11 (permalink)
|
|
Code Monkey
Join Date: Feb 2005
Posts: 64
|
Why would you need to sanitize all URLs? I know you're never supposed to trust the client when it comes to field input, but is it that easy to access sensitive info on a shared host that you have to give URLs similar treatment to form data?
I really like the second method redhead provided btw, I wouldn't need to write up a page long switch() that way. ^.^
EDIT:
For anyone new that's lurking this topic and is interested, try this. (The value from the $_GET array is retrieved once you click the link).
Place this in a file like index.php
PHP Code:
<?php
/* Authentication can go here, but you would have to move
the following php to a new destination page since any failed check
would prevent index.php from showing anything */
switch($_GET['img']){
case "alarm":
header('Content-type: image/gif');
readfile('alarm.gif');
}
?>
<a href="http://localhost/test/index.php?img=alarm">Go</a>
Once clicked, you'll get http://localhost/test/index.php?img=alarm showing in the address bar and actually leading to something *yay*, the "Go" link removed via the header, the orignal filename is now the page name on save, and no direct image path displays when you check the source of the gif. (Not that all of this is necessary with all the hotlink protection around, it's just fun to do  ).
Last edited by morpheuz; 02-10-2006 at 12:25 AM.
|
|
|
|
|
02-09-2006, 11:14 PM
|
#12 (permalink)
|
|
Moderator
Join Date: May 2002
Location: us.ca
Posts: 4,487
|
i never understood the purpose of this method. either way you need a 'main.php' and 'contact.php' or whatever your site is going to have, .. so why not just call them normally instead of in the query string?
|
|
|
|
|
02-10-2006, 09:01 AM
|
#13 (permalink)
|
|
Newbie
Join Date: Jun 2002
Location: Denmark
Posts: 1,710
|
Quote:
|
Originally Posted by DJMaze
index.php?page=/usr/etc/passwd%00
This would run as: include("/usr/etc/passwd%00.php");
Issue here is that %00 is NULL aka \0 and a string in C always end a \0.
So in this case it opens '/usr/etc/passwd' and the '.php' is not processed.
|
This would require either read access to /etc/passwd by apache/whatever deamon, or fscked up permission flags on /etc/passwd
Usualy you would only allow read access to the directory which your domain is hosted in, thus avoiding inclusion from below web-root |
|
|
|
|
02-10-2006, 07:57 PM
|
#14 (permalink)
|
|
Senior Contributor
Join Date: Mar 2005
Posts: 673
|
It was just an example, i never said you could access that file.
Hack /usr/etc/passwd should not exist anyway.
I just showed the potential damage non-sanatized input could do.
If you want a real fully exploitable example i could give you one, but that would bring this whole topic out of context.
The guy asked how to easily load files and redhead gave the example. I just commented on that about the potential security risk involved.
A switch statement does prevent security risks but would ask a lot more coding then redhead's example.
PHP Code:
<?php
if ( isset($_GET['page']) ) {
if (preg_match('#^[a-z]+$#', $_GET['page']) && is_file($_GET['page'] . '.php') ) {
include ($_GET['page'] . ".php");
} else {
// incorrect page name
header('Location: http://example.com/');
}
} else {
include ("default.php");
}
?>
|
|
|
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -8. The time now is 07:11 AM.
|
Copyright © 2000-2008, Milano Interactive
Web Hosting provided by Portal 360 Web Hosting
|
|
|
