PHP script works one one server, not another

[SuperSquirel]

I've been using the a line of PHP i was given a year or 2 ago for the new site i'm creating, it is supposed to automatically include an html page that i specify in the url (ie. index.php?page=news), however its not working on my main webhost.
here is the line of code:

<? if (isSet($page)) { $file="$page.html" ; if (file_exists("$file")) { include("$file"); } else { include('./404.html'); } } else { include("main.html"); } ?>

the problem is that main.html is included every time even when i specify another page to be included. however when i uploaded the exact same index.php, a test page and main.html to my old webhost it worked perfectly.
The puzzling thing is my current website uses phpnuke and i have a custom module which uses the same line of code and that works fine.

does anyone know if somethin in the code could be causing problems or if it could perhaps be a server configuration?

 

[mussavcom]

All server configurations differ, so there could be several problems.

Your server may not allow you to use $page until you GET it from the URL for security reasons.
Try:

if (isset($_GET['page']))

instead of
if (isset($page))

 

[brendandonhu]

Recent versions of PHP have superglobals turned off for security reasons. The code you posted would probably work like this

<?
if (isset($_GET['page']))
{
  $file= $_GET['page'] . '.html';
  if (file_exists($file))
 {
    include($file);
  }
else
{
  include('./404.html');
 } 
} 
else 
{
  include('main.html');
} 
?>

However that code is very insecure. Any user could access any file on your website. You should create an array of pages they are allowed to access, and let the script load those pages.

 

[SuperSquirel]

that works, thank you

 

[brendandonhu]

Just remember, a script like that will give anyone access to any file on your site.
This is quite a bit more secure. Just put all the files the user is allowed to view in a directory called "files"

<? 
if (isset($_GET['page'])) 
{ 
  $file= str_replace('.','',$_GET['page']) . '.html'; 
  if (file_exists($file)) 
 { 
    include('/files/' . $file); 
  } 
else 
{ 
  include('./404.html'); 
 }  
}  
else  
{ 
  include('/files/main.html'); 
}

 

[mussavcom]

brendandonhu -- what if somebody had "../file.html" as the file? I know when you enter URLS into an address bar, site.com/folder/../file.html is the same as site.com/file.html. Would that happen on PHP to? If so, any file on the site could still be accessed.

 

[brendandonhu]

Yes they could, I just edited the script to fix that.

 

[SuperSquirel]

thats quite a useful security fix for the script, thanks. i had some admin pages on the site that were protected by cpanels directory protection, i never realised they could still be included without need of password.

 

[brendandonhu]

No prob
It generally wouldn't allow access to protected pages, but theres still a possibility.