Thread: Dynamic Linking with PHP
View Single Post
  #7   Spotlight this post!  
Unread 12-01-2005, 19:41
HFWang's Avatar
HFWang HFWang is offline
Registered User
AKA: DarkWulf
#0115
Team Role: Webmaster
  
Join Date: Jan 2003
Location: Cupertino
Posts: 177
HFWang will become famous soon enough
Send a message via ICQ to HFWang Send a message via AIM to HFWang
Re: Dynamic Linking with PHP
Warning! Above code is insecure!

Lets attacker execute arbitrary code available on the server. (For example, what happens when someone uses id=../../../other_user/comproming_script ? I don't know either. That should make you nervous. Another interesting idea would be calling id=../something.php. Watch as PHP enters a recursive loop including the same file over, and over and over until something dies.)

Always, always, always, and oh yah, always, check data. BTW, you don't need use the Location:index.php?id=Main bit either. Just...
PHP Code:
if (empty($_GET['id']))
    $_GET['id'] = 'Main'
or... if you feel really frisky...
PHP Code:
$_GET['id'] = empty($_GET['id']) ? 'Main' $_GET['id']; 
Another nitpick is that this isn't dynamic linking. Its basically just including. At which point you're better off just using .htaccess (or appropriate platform-specific replacement) and setting auto_prepend_file/auto_append_file php settings. You're organizing the files along the way the fileystem is internally, so you may as well just stick the header/footer on around the actual file.

(IE: why put all your content in include/news.php and then load it when you receive requests for http://foo.com/news.php when you can just go to http://foo.com/news.php?)

I have been doing this for awhile, and really like the system. Soo.... some "sample code". I store all my content as xml (because I can I guess.) A sample content file looks like:
Code:
<page>
    <title>Page Title</title>
    <content>This is the page content</content>
</page>
My htaccess looks like:
Code:
php_value auto_prepend_file header.php
php_value auto_append_file footer.php

<FilesMatch "^[^\.]+$">
	SetHandler application/x-httpd-php
</FilesMatch>
(For those with weak regex foo, it basically just has all files without extensions execute as PHP. I just think its cool to hide extensions. I'm weird like that)

The header file basically just includes library classes and starts output buffering. PHP then dumps the file to the output buffer (trivia: ob_start(), echoing stuff, then ob_get_contents() and ob_end_clean() is the fastest way to concat string in PHP. Faster than an array and implode(), faster than 'something'.'something'. Its magic. ), and I pickup the output in footer.php, and start processing. (IE: replace templating code with the actual HTML I want. Executing behaviors like posting comments, etc).

Now that I've rambled this long, I'll go away.
__________________
rawr
Last edited by HFWang : 12-01-2005 at 19:56. Reason: whoa, had an idea.