Page.php?page=

[shifty1]

What is the code I need to put on a template page so that it will pull content pages (just basically pages with only text on it) and throw it in the template page. So I can just have one template and easily add content pages.

the url would looking something like www.domain.com/page.php?page=1

I see this all over the place I just cant get the example code. Im no PHP wizz

 

[Camron]

Check zymic.com and click php tutorials. I saw one the other day.

Thanks.

 

[cwnt]

I wrote this years ago, so sorry if it sounds a little strange. I was much younger then

Firstly, we must create a new file called 'index.php'. This will be the main page which has the whole website's layout and main coding in it. Next, you need to create all the content pages. Place these in the same directory as your index page. Now open 'index.php' and find the place where you want all the content in your site to be displayed, then add this code there:

<?
$id = $_GET["id"];
if($id == "" || !file_exists("/path/to/your/site/$id.php")) { $id = "home"; }
include ("/path/to/your/site/$id.php");
?>

The first line of the code simply gets the text after 'id=' in the navigation bar of the web browser and then stores that text in the variable '$id'. For example, if someone entered 'index.php?id=home' then the first line of code would set the variable '$id' to 'home'.
The next line of code checks to see if something was actually entered after 'id='. If it was not, then '$id' is set to home. This means that if nothing was entered after 'id=' then the user will automatically go to your homepage. It also checks to see if the page entered after 'id=' actually exists. Again, if it does not exist then the user will be redirected to your homepage. This is to make sure that no errors occur or your site doesn't display a page that isn't there.
The third and final line of code just displays the file. Of course, you have to change '/path/to/your/site/' to the actual path to your website otherwise an error will be displayed. You can change '$id' to anything you like, such as '$page' like we have here, or '$act'. Just remember to change every instance of '$id'.
Note: Your links must have the name of the page you want to display. For example, if you have a file called 'home.php' then your link must be 'index.php?id=home' otherwise the page will not show up.

 

[Flaresolutions]

I wrote this years ago, so sorry if it sounds a little strange. I was much younger then

I wouldent use this code, it runs no security checks and could leave you open to malicious attack. Visit zymic.com as suggested beforehand.

 

[Camron]

http://zymic.com/view_tutorial.php?id=96

There's the direct link to that tutorial I saw on zymic.

Thanks.

 

[shifty1]

http://zymic.com/view_tutorial.php?id=96

There's the direct link to that tutorial I saw on zymic.

Thanks.

thanks

but looking at that, it seems that Id have to add a new page to the main one each time I want to add a content page. I cannot just drop a basic page into a folder and have it linked with the template around it.

Alot more work...

 

[Camron]

You can change

include ('blah.php');

to

echo "Welcome to my page";

Thanks.

 

[FanCube]

If you don´t know PHP should you search the net for a simple free CMS. This way will you not have to worry much about programming and you can have a site up and running in a few hours.

 

[CreedFeed]

<?
$id = $_GET['id'];
switch ($id) {
    case '1':
        echo "This is content for id 1";
        return;
    case '2':
        echo "This is content for id 2";
        return;
    default:
        echo "You have specified an invalid page.";
        return;
}
?>

 

[tm]

If you choose a method make sure you can't do things like page.php?page=.htaccess :P -that would be bad.

 

[cwnt]

I wouldent use this code, it runs no security checks and could leave you open to malicious attack. Visit zymic.com as suggested beforehand.

It checks that the file is actually in their home directory (or whichever directory they place the content in. If it does not exist, they are simply redirected to the home or default one. How does that leave you open to malicious attacks?

 

[shifty1]

Yea, I definately would like to avoid security holes in my website, but how much of a danger is it to use the code I supplied rather than the method on zymic.com?

Edit:

Well I finally got it working, thanks everyone. Just curious how safe this code is:

<?php
	switch ($HTTP_GET_VARS[pages]) {
	//Default - case
	default:
	include "pages/main.php";
	break;

	//Fonts - case
	case 'test':
	include 'pages/test.php';
	break;

	//Scripts - case
	case 'test3':
	include 'pages/test3.php';
	break;

	//Scripts - case
	case 'shit':
	include 'pages/shit.php';
	break;

	}
	?>

ITs not exactly what I wanted, as Id have to edit the page.php page everytime I add a new content page, but as long as I avoid being attacked its all good.

 

[maximum]

A few problems exist with the above (albeit, nice of the posters to try and help :tu: ):

<?
$id = $_GET['id'];
switch ($id) {
    case '1':
        echo "This is content for id 1";
        return;
    case '2':
        echo "This is content for id 2";
        return;
    default:
        echo "You have specified an invalid page.";
        return;
}
?>

Every time this page is accessed, all of it has to be proccessed by PHP on the server. This could become a very long page indeed and the server-load will kill you :o

Zymic's solution is screwy at best, becuase it is divided into two parts that contradict each others variables, and the first would error anyway. The first part contains, for example:

switch ($HTTP_GET_VARS[id]) {
//Default - case
default:
include "news/news.php";
break;

//Fonts - case
case 'resources=fonts':
include 'resources/fonts.php';
break;
...............................................>>>

How can you check for "id=resources=fonts" ? Atleast without encoding the URL, you can't :gl:

The second problem here, and this applies to all of these solutions: Every time you add a new page, you have to go alter the index.php page to check for the variable. Double work, plus makes for more code your server has to proccess every time index.php is loaded.

The best of the solutions given so far, is that of hairyfreak ( :kickass: ). It allows you to add additional pages later, without ever having to alter the index.php again However, for the sake of security, I am going to upgrade hairyfreak's solution a notch (no offense hairyfreak ):

------------------------------------
In index.php:

<? 
define("CodeWord", "VerySecretPassword");
$id = $_GET["id"]; 
if($id == "" || !file_exists("/path/to/your/site/SECRETFOLDER/$id.php")) { $id = "home"; } 
include ("/path/to/your/site/SECRETFOLDER/$id.php"); 
?>

In each new page, add this:

<?
if (CodeWord == "VerySecretPassword") {
..............content goes here..............
}else{
die("You can not access this page directly!");}
?>

The above solves two security issues. #1) Assume your index.php is located at /path/to/your/site/index.php , then by putting all of your "called" pages in some obscurely named secret folder (in my example: /path/to/your/site/SECRETFOLDER/... ), you keep folks from just being able to access them directly by looking at the variable. Say you had http://site.com/?index.php=home , they could just try and see if http://site.com/home.php itself existed. This can be bad, if you don't want your pages called without being inside your index.php page. For some uses, this can even be dangerous. By having them in a secret folder, you complicate the issue for them trying to access the pages directly. #2) Basically, secures pages from being called by themselves (rather you use a hidden folder or not). It is that "define" function, and the part you add to each page. This tells your index.php to make a constant named "CodeWord", and give it the value of "VerySecretPassword" (be creative and make a hard to guess value). Once the called-pages are called, they check to verify that infact "CodeWord" exists, and that it has the correct value. If not, no-see-this-page-for-you-buddy . If the called pages are accessed without being called from index.php, they get same message, becuase the "CodeWord" constant is not properly defined

Another, and even more secure tip: Put the called pages under your root-directory. That way, calling them via URL direclty in browser doesn't work anyway.

Hence, with combining these, you have: 1) Hidden the pages, preventing them from being accessed directly. 2) Further enhanced #1, by making them non-functioning, even if they have the direct URL for them. 3) Saved yourself from having to add to or change the index.php page every time you add new pages. 4) Made it, as hairyfreak so nicely did it, so that if the called page doesn't exist, they get shown a default "home.php" instead.

Hope this didn't confuse the issue, and that it helps :blink: Now, for some true PHP guru like SecondVersion to come and show me the error of my ways :lol:

 

[shifty1]

Awesome post above! Very well done. But from what I can gather, this just secures/prevents people from looking at "page1" without using the page.php?id= format. Does it actually do anything to prevent other malicious attacks or holes like:


example.com/page.php?id=/home/someotheruser/public_html/index

or maybe

index.php?page=/etc/passwd

I really am not sure what all the security issues with using a simple php function like this is, but Id rather be safe than sorry.

 

[FanCube]

It checks that the file is actually in their home directory (or whichever directory they place the content in. If it does not exist, they are simply redirected to the home or default one. How does that leave you open to malicious attacks?

As posted by other users will it be possible to access all files in the directory, people could still get access to files that exists but you would not like to share.

 

[maximum]

Using secret folders, that only are for your "included" files, and having those folders under the web-root directory (ie: where they would not directly be web-accessable themselves):

Such as in cPanel default configurations, where /home/username/public_html/ is the web-root, place the files in /home/username/SecretBlackHole/ , for example.

Unless they knew each individual include's file name, they would have no way of pulling them up. And, if the files "permissions" (at minimum, the secret folder) are set at the minimum required for your own PHP scripts to read them (look-up "file permissions" for your particular tpye server or hosting OS), then those outside your domain's folder (ie: others on shared server) couldn't peek.

And, no, example.com/page.php?id=/home/someotheruser/public_html/index would not work in this example (the code given above), since that translates to:

include("/home/someotheruser/public_html/index/home/someotheruser/public_html/index.php");

<< This would error :tri: NEVER, use the full path as your URL variable. Hide this in the code itself, as in the example I gave. I assume you are trying that, becuase you have seen URL's where folks do this. Not smart. However, you could do something simular (keep includes catagorized into diffrent folders, so they are more organized), still use this scheme, yet never reveal their true location. For that use the following stucture, for example (still lest say web-root is /home/username/html_public/ ):

Public files:
/home/SecretBlackHole/Public/ ---- Accessable as example.php?id=Public/index

Member files:
/home/SecretBlackHole/MemZone/ (I did say be creative with names...hard to guess :yell: ). Would be accessed as example.php?id=MemZone/index

Admin files:
/home/SecretBlackHole/TheBoss/ ---- Accessable as example.php?id=TheBoss/index , example.php?id=TheBoss/page2 , ect.

To see what folders existed, they would have to have access below web-root, or would have to have seen the URL posted somewhere containing the variable to a valid one. I didn't say this was 100% secure. But, using the example.php?id=xxxx formation to pull pages is in itself asking for issues, becuase you expose things in a URL. I just gave you a way to still do what you wanted, yet make it more secure. You didn't ask for a replacement of the method all together :hehe:

To answer FanCube's last post, always put an includable index.php in any folder accessed by this method (depending on server-OS config, how Apache is set-up, and PHP settings that are set by server admin, this could lead to a directory listing of all files there, if you don't have a default index page). This done, they'd have to know the file names, beforehand, or see a URL posted to a valid example.php?id=SecretBlah/SubFolderBlah/page .... to even know where to look. In addition, if that "define()" and the proper check for it appears in each file (as in my example above), then, even if they found the URL's and accessed them directly (ie: you didn't do as told and put them somewhere directly web accessable), they would still get that "die()" error telling them the page can not be viewed directly

You want more secure? Drop the whole idea of using one page to include all :imho:

 

[Eric]

To answer FanCube's last post, always put an includable index.php in any folder accessed by this method (depending on server-OS config, how Apache is set-up, and PHP settings that are set by server admin, this could lead to a directory listing of all files there, if you don't have a default index page)

Or .htaccess:

Options -Indexes

You want more secure? Drop the whole idea of using one page to include all

:bingo:

I've read over the thread, and will read over it again - before I give any further opinons on the matter

 

[CreedFeed]

You want more secure? Drop the whole idea of using one page to include all

IMO as long as you ensure you have security measures in place with regards to including files, this is a great way to handle your website. I do this on most of my sites (I have developed my own method of handling this, it's a bit more indepth than the examples described here).

 

[TommyG]

Simple and secure.

<?php
    // Set the pages you want to be allowed as an include, excluding the ".php" extension.
    $pages = array("home","page","about");

    $p = $_GET["p"];
    foreach($pages as $page) {
        if($page == $p) {
            include($p . ".php");
        }
    }
?>

Include, and use page.php?p=home, for example.

 

[shifty1]

So many different ways, and Ive got a few of them working (some I dont even understand) but still no definitive answer

Most of the ones that I gather are secure are the ones in which I have to add each page name to the index.php page before it will work. I just want something that'll pull the content pages from a folder...