> -----Original Message----- > From: Jennifer Goodie [mailto:[EMAIL PROTECTED] > Sent: 31 July 2003 22:42 > > > if (isset($page)) { > > include $$_GET['page']; > > } else { > > $page = $home; > > include $page; > > } > > > > would that be right? > > or should i use > > > > if (isset($page)) { > > include $$_GET['page']; > > } else { > > include $home; > > } > > > > hopefully that's right. if so, pretty good for a n00b > > > > I don't think I'd let someone pass any page they wanted via a > get and just > include that page. > > If you have URL fopen wrappers on I can create a page on my server and > include it to your page and pretty much execute any code I > want on your > server. > > example: > > http://www.yourdomain.com?yourscript.php?page=http://mydomain. com/myscript.p hp
Take a closer look -- that's a double $$ in front of _GET['page'], not a single one -- that means he must have a variable defined with the name of whatever you put as the value of page=, and I think he's very unlikely to have a $http://mydomain.com/myscript.php...!! But, you're right, there should be some error checking for invalid page values, just in case someone (or something!) should try this -- something like (not tested!): if (isset($_GET['page'])) { if (isset($$_GET['page'])) include $$_GET['page']; else include('no_such_page.inc'); } else { include $home; } And, as a final BTW, I'd do this with an array: $pages = array('fred'=>'fred.php', 'barney'=>'barney.php', 'rubble'=>'quarry/mr_rubble.inc'); ------ if (isset($_GET['page'])) { if (isset($pages[$_GET['page']])) include $pages[$_GET['page']]; else include('no_such_page.inc'); } else { include $home; } Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
