ansaurus

Question

Answer 1

A:

I am not saying that this is the best solution, but years ago I used to have a website which used a database to manage the key, the page to be included, and some informations like additional css for instance.

So the code was something like:

<?php

  $page = htmlspecialchars($_GET['page']);
  $stuffs = $db->query('select include,css from pages where pageid = "' . $page . '" LIMIT 1');

?>

So when we needed to add a page, we just created a new field in the database. That let us close a part of the website too: we could have a "available = {0,1}" field, and if zero, display a static page saying that this page was under maintenance.

Aif 2010-06-10 12:45:35

what htmlspecialchars does here?

Col. Shrapnel 2010-06-10 12:47:52

I forgot ENT_QUOTE which escapes the ' and " and other special chars. It avoids risks for sql injection (no ') and if xss if i print $page.

Aif 2010-06-10 12:50:38

htmlspecialchars has nothing to do with sql. it is **html** specialchars, not sqlspecialchars. the proper function is mysql_real_escape_string()

Col. Shrapnel 2010-06-10 12:52:12

I know that. But ENT_QUOTE turns ' in ' so ?Moreover, be it only for the xss stuff, I do ALWAYS escape the user input. I don't see the matter.Is that why I got -1?

Aif 2010-06-10 12:56:49

not only quote character must be escaped and not only user input should be properly prepared for the query

Col. Shrapnel 2010-06-10 13:03:41

`htmlspecial` chars doesn't stop SQL injection.

Lotus Notes 2010-06-10 17:01:17

Answer 2

+2 A:

$obj = $_GET['obj']; 

$validArray = array('a','b','c','d','e');

if (in_array($obj,$validArray)) {
   include ($obj.'.php'); 
} else {
   include ('f.php');
}

Mark Baker 2010-06-10 12:46:34

It's better than using switch. Thanks!

garcon1986 2010-06-10 13:09:12

Answer 3

A:

why not just address a page itself?

<a href="a.php">first page</a>
<a href="f.php">another page</a>

Col. Shrapnel 2010-06-10 12:48:44

in this way, the users can see all the files as they typed in the URL.

garcon1986 2010-06-10 12:53:13

@garcon1986 what's wrong with it?

Col. Shrapnel 2010-06-10 13:00:55

@garcon1986: And what is the difference with having `/index.php?obj=a`, `/index.php?obj=b`, etc.? I can type that too.

Felix Kling 2010-06-10 13:01:44

yes, users can type any thing in the url. But code like this <a href="f.php">another page</a>, is not easy to manage.

garcon1986 2010-06-11 15:06:05

if there are so many links, it would be terrible.

garcon1986 2010-06-11 15:06:38

@garcon1986 no, there wouldn't be so many links. Only a few. Say, you have single script news.php and all news pages would be shown by this single script. How many sections your site would have?

Col. Shrapnel 2010-06-11 15:58:02

Answer 4

+1 A:

The more pages you have the harder it will be to control this.

Your best off using a framework of some sort, my personal preference is CodeIgniter.

fire 2010-06-10 13:05:15

codeigniter will be a good solution?

garcon1986 2010-06-10 13:07:15

yes indeed, its very easy to use and has loads of libraries that help you write code much quicker

fire 2010-06-10 13:34:44

ansaurus

tags:

views:

answers:

Access control of page in php

related questions