icon Get the most out of Surmunity, read our tips here! Need an interesting blog to read? You've got to read the Surpass Blog! | Welcome! Please register to access all of our features.

» Surpass Web Hosting Forums » Discussions » PHP, MySQL » Dynamic Includes pt 2

PHP, MySQL General PHP questions. Or go to our PHPsuexec Forum >>

Reply
Page 2 of 2 < 1 2
 
LinkBack Thread Tools Search this Thread Rate Thread
Old August 12th, 2004, 2:00 PM   #10 (permalink)
SurPerson
On a golden path...
 
TJ09's Avatar
 
Joined in Jul 2004
Lives in front of my laptop
Hosted on Sync
437 posts
Gave thanks: 0
Thanked 1 Time in 1 Post
For subfolders, you could use
Code:
<?php 

$x = $_GET['x']; 
$f = $_GET['folder'];
$i = 2
while($_GET['folder'.$i]) {$f = $f."/".$_GET['folder'.$1]}
$ext = ".php"; 
$dir = "includes/"; 

if($f != "" && eregi("^[_a-z0-9-]", $f)) { 
    $f = $dir . $f . "/"; 
} else { 
    $f = $dir; 
} 

if(eregi("^[_a-z0-9-]", $x)) { 
    if(file_exists($f . $x . $ext)) { 
        include($f . $x . $ext); 
    } else { 
        include($dir . "notfound" . $ext); 
    } 
} elseif(!$x) { 
    include($dir . "main" . $ext); 
} else { 
    include($dir . "error" . $ext); 
} 

?>
I added a while that checks for folder# and if not, it stops.
__________________
Me: TeeJay
Server: Sync (Statistics)
 Site: technoized.com (Statistics)

 chown -R us ./base
TJ09 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old August 13th, 2004, 4:14 AM   #11 (permalink)
L'Awesome Advocate
Super #1
 
Ancyru's Avatar
 
Joined in May 2004
Lives in .au
Hosted on Mango
2,423 posts
Gave thanks: 1
Thanked 5 times
I don't get it =S
__________________
When I get sad, I stop being sad, and be AWESOME instead. True story.
Ancyru is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old August 13th, 2004, 4:44 AM   #12 (permalink)
Peaches!
Excelling Contributor
 
Joined in Jul 2003
Lives in Ottawa, Ontario, Canada
Hosted on Jose, Pass19
564 posts
Gave thanks: 0
Thanked 0 times
Code:
while($_GET['folder'.$i]) {$f = $f."/".$_GET['folder'.$1]}
That would get the folders for every folder# in your URL. There's a few bugs in it though, so lemme fix it up a bit.
PHP Code:
<?php 

$x $_GET['x']; 
$f $_GET['folder']."/";
$i 2;

# This is the multiple folders part
while( isset($_GET['folder'.$i]) ) {
    $f .= $_GET['folder'.$i]."/";
    $i++;
}

$ext ".php"
$dir "includes/"

if($f != "" && eregi("^[_a-z0-9-]"$f)) { 
    $f $dir $f
} else { 
    $f $dir


if(eregi("^[_a-z0-9-]"$x)) { 
    if(file_exists($f $x $ext)) { 
        include($f $x $ext); 
    } else { 
        include($dir "notfound" $ext); 
    } 
} elseif(!$x) { 
    include($dir "main" $ext); 
} else { 
    include($dir "error" $ext); 


?>
That should work for you.
__________________
alex.honeywell [ seigousei.net - pass19, binuweb.com - jose ]
AlexH is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old August 13th, 2004, 4:56 AM   #13 (permalink)
Registered User
Seasoned Poster
 
Joined in Jul 2004
31 posts
Gave thanks: 0
Thanked 0 times
In case you consider the url myscript.php?folder1=boo&folder2=yah&x=mypage to be unwieldy ...

You can also modify the regular expression to accept forward slashes in the folder except for at the beginning (to ensure the script only runs includes in directories under $dir). This allows you to use a url of the form myscript.php?folder=boo/yah&x=mypage.

See code below:

PHP Code:
<?php

$x $_GET['x'];
$f $_GET['folder'];
$ext ".php";
$dir "includes/";

if($f != "" && eregi("^[a-z0-9]+[a-z0-9\/]*"$f)) {
    $f $dir $f "/";
} else {
    $f $dir;
}

if(eregi("^[_a-z0-9-]"$x)) {
    if(file_exists($f $x $ext)) {
        include($f $x $ext);
    } else {
        include($dir "notfound" $ext);
    }
} elseif(!$x) {
    include($dir "main" $ext);
} else {
    include($dir "error" $ext);
}

?>
-wolf
Wolfy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old August 13th, 2004, 5:05 AM   #14 (permalink)
L'Awesome Advocate
Super #1
 
Ancyru's Avatar
 
Joined in May 2004
Lives in .au
Hosted on Mango
2,423 posts
Gave thanks: 1
Thanked 5 times
Actually Wolfy, fyi. My previous script does allow forward slashes in the address.
__________________
When I get sad, I stop being sad, and be AWESOME instead. True story.
Ancyru is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old August 13th, 2004, 1:41 PM   #15 (permalink)
Third Plateau
Comfy Contributor
 
Dave's Avatar
 
Joined in Apr 2004
Lives in East Hanover, New Jersey
Hosted on Nifty
272 posts
Gave thanks: 0
Thanked 0 times
Actually, you don't even need all of that checking with regexps. You just need to get rid of ".." from the string, since that's the only security issue.

If you're already stuck in includes/, and ".." is erased, hackers can't get out of it no matter how many slashes are used.
__________________
site (syberdave.net) - server (nifty)
Dave is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 2 of 2 < 1 2

« random popup asking for password | PHP Code Help »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On