How not to include a php file

Report · Jan 26, 2011

Hi there,

I have the following file call football.php. When you view it, it pulls the football text and football navigation stuff from the dec folder and displays it on the page.

<?php

if(isset($_REQUEST['suppliers']))

{

$companies=array(

"addidas",

"nike",

"head",

"converse",

"puma",

"reebok",

);

if(in_array($_REQUEST['suppliers'],$companies))

{

include "dec/suppliers/".$_REQUEST['suppliers'].".php";

}

?>

<?php include "dec/football-text.php";?>

<?php include "dec/football-navigation.php";?>

An example of the football navigation.php from above looks like this:

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=nike"><img src="images/football2010/images/Nike.jpg" alt="Nike"></td>

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=reebok"><img src="images/football2010/images/Reebok.jpg" alt="Reebok"></td>

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=puma"><img src="images/football2010/images/Puma.jpg" alt="Puma"></td>

So to talk you through the process....

So when you are on football.php, when a person clicks on one of the hyperlinks (football-navigation.php) it pulls a football page (from the suppliers folder) and includes this content on the page. So now you end up with THREE things on the page: The text, the navigation, AND the football page stuff.

So what I am trying to achieve is when someone clicks on one of the football navigation links, only the football page (eg Nike) and football navigation is visible! Therefore I do not want to include the football-text.php.

So I was wondering if someone could help me with this?

Regards

volterony22

Report · Jan 28, 2011

Your description doesn't make sense, because the links in the navigation points the browser to feature-football.html, not football.php.

Report · Jan 28, 2011

Hi David,

Sorry, I should point out that feature-football.php does exist.

This file is a module called "football" that sits in a specific folder called "feature". For example:

If ($_REQUEST['module']=="football")

{

$fullbody.=file_get_contents($THEMEFOLDER."/football.php");

}

The html extension is done to improve the url structure for SEO purposes.

I have found a solution to this problem. Hopefully I have also addressed the security issues with the includes?

<?php  if(isset($_REQUEST['suppliers']))  {      $companies = array(          "addidas",          "nike",          "head",          "converse",          "puma",          "reebok");            if(in_array($_REQUEST['suppliers'], $companies))      {          include "dec/suppliers/".$_REQUEST['suppliers'].".php";                  if(!in_array($_REQUEST['suppliers'],$companies))                              {                 echo "Sorry your request could not be found in the list of suppliers";             }                      else             {                 include "dec/football-navigation.php";             }      }               else     {         include "dec/football-text.php";         include "dec/football-navigation.php";     } }      ?>

Kind regards

volterony22

Report · Jan 29, 2011

volterony22 wrote:
The html extension is done to improve the url structure for SEO purposes.

That's a myth. There's nothing magical about using an .html extension.

Hopefully I have also addressed the security issues with the includes?

Looks OK to me, although using $_REQUEST is considered to be less secure than using $_GET or $_POST explicitly.

How not to include a php file

Photos