For a school project I have to produce a website using PHP that allows user to generate there own article or comment on news or others articles. I was wondering how it is best to use the GET function to show the content in an include file and also use the get fuction for other include files such as the login page and other content the developer (me) has added to website not as articles but as links etc. Anyone got any suggestions or good tutorials they could post up.
Cheers
CHL
Wheel has been invented, tested, rolled for a million miles: WordPress
You'll definitely want to sanitize anything that comes in through the GET parameter before including a file. You normally do this by checking for valid characters, and since it is directly calling a file from the file system I usually manually enter the valid navigation actions. This isn't the most elegant solution but often the easiest and safest for a small application.
I usually use case switches for this, but I've seen people use fancy regular expressions as well.
Something along the lines of:
if (isset($_GET['nav'])) {
switch ($_GET['nav']) {
case 'login':
case 'logout':
case 'article':
include($_GET['nav'] . '.php');
break;
default:
die('Invalid nav parameter');
break;
}
}
This is what I use...
function safeIncludeFile($path)
{
$regex = '/[a-z0-9\-_]+/i'; // match only a to z, 0 to 9 and the minus and unscore character. case insensitive. adjust to accommodate your file naming schema.
return preg_match($regex, $path);
}
And then do something like this
if (isset($_GET['page']) && safeIncludeFile($_GET['page'])) {
require PATH_TO_INCLUDES . $_GET['page'] . '.inc.php';
}
You could also have an array that acts as a whitelist
$allowedIncludes = array('home', 'about', 'news');
and then check if the requested page is in there
if(in_array($_GET['page'], $allowedIncludes)){
include $_GET['page'].'.php';
}else{
die('Forbidden!');
}
thus, you don't have to add a "case" to your switch everytime you add something.