How not to include a php file

Report · Jan 26, 2011

Hi there,

I have the following file call football.php. When you view it, it pulls the football text and football navigation stuff from the dec folder and displays it on the page.

<?php

if(isset($_REQUEST['suppliers']))

{

$companies=array(

"addidas",

"nike",

"head",

"converse",

"puma",

"reebok",

);

if(in_array($_REQUEST['suppliers'],$companies))

{

include "dec/suppliers/".$_REQUEST['suppliers'].".php";

}

?>

<?php include "dec/football-text.php";?>

<?php include "dec/football-navigation.php";?>

An example of the football navigation.php from above looks like this:

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=nike"><img src="images/football2010/images/Nike.jpg" alt="Nike"></td>

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=reebok"><img src="images/football2010/images/Reebok.jpg" alt="Reebok"></td>

<td><a href="<?php echo $URLPREFIX;?>/feature-football.html?&suppliers=puma"><img src="images/football2010/images/Puma.jpg" alt="Puma"></td>

So to talk you through the process....

So when you are on football.php, when a person clicks on one of the hyperlinks (football-navigation.php) it pulls a football page (from the suppliers folder) and includes this content on the page. So now you end up with THREE things on the page: The text, the navigation, AND the football page stuff.

So what I am trying to achieve is when someone clicks on one of the football navigation links, only the football page (eg Nike) and football navigation is visible! Therefore I do not want to include the football-text.php.

So I was wondering if someone could help me with this?

Regards

volterony22

Report · Jan 28, 2011

Your description doesn't make sense, because the links in the navigation points the browser to feature-football.html, not football.php.

Report · Jan 28, 2011

Hi David,

Sorry, I should point out that feature-football.php does exist.

This file is a module called "football" that sits in a specific folder called "feature". For example:

If ($_REQUEST['module']=="football")

{

$fullbody.=file_get_contents($THEMEFOLDER."/football.php");

}

The html extension is done to improve the url structure for SEO purposes.

I have found a solution to this problem. Hopefully I have also addressed the security issues with the includes?

<?php  
if(isset($_REQUEST['suppliers']))  
{  
    $companies = array(  
        "addidas",  
        "nike",  
        "head",  
        "converse",  
        "puma",  
        "reebok");  
      
    if(in_array($_REQUEST['suppliers'], $companies))  
    {  
        include "dec/suppliers/".$_REQUEST['suppliers'].".php";  
    
            if(!in_array($_REQUEST['suppliers'],$companies)) 
                 
            { 
                echo "Sorry your request could not be found in the list of suppliers"; 
            } 
             
        else 
            { 
                include "dec/football-navigation.php"; 
            } 
     } 
         
     else 
    { 
        include "dec/football-text.php"; 
        include "dec/football-navigation.php"; 
    } 
} 
     
?>

Kind regards

volterony22

Report · Jan 29, 2011

volterony22 wrote:
The html extension is done to improve the url structure for SEO purposes.

That's a myth. There's nothing magical about using an .html extension.

Hopefully I have also addressed the security issues with the includes?

Looks OK to me, although using $_REQUEST is considered to be less secure than using $_GET or $_POST explicitly.