PHP script works one one server, not another

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SuperSquirel

Thread Starter
Joined
Apr 18, 2004
Messages
15
I've been using the a line of PHP i was given a year or 2 ago for the new site i'm creating, it is supposed to automatically include an html page that i specify in the url (ie. index.php?page=news), however its not working on my main webhost.
here is the line of code:

<? if (isSet($page)) { $file="$page.html" ; if (file_exists("$file")) { include("$file"); } else { include('./404.html'); } } else { include("main.html"); } ?>

the problem is that main.html is included every time even when i specify another page to be included. however when i uploaded the exact same index.php, a test page and main.html to my old webhost it worked perfectly.
The puzzling thing is my current website uses phpnuke and i have a custom module which uses the same line of code and that works fine.

does anyone know if somethin in the code could be causing problems or if it could perhaps be a server configuration?
 
Joined
Mar 28, 2004
Messages
51
All server configurations differ, so there could be several problems.

Your server may not allow you to use $page until you GET it from the URL for security reasons.
Try:

if (isset($_GET['page']))

instead of
if (isset($page))
 
Joined
Jul 8, 2002
Messages
14,681
Recent versions of PHP have superglobals turned off for security reasons. The code you posted would probably work like this
PHP:
<?
if (isset($_GET['page']))
{
  $file= $_GET['page'] . '.html';
  if (file_exists($file))
 {
    include($file);
  }
else
{
  include('./404.html');
 } 
} 
else 
{
  include('main.html');
} 
?>
However that code is very insecure. Any user could access any file on your website. You should create an array of pages they are allowed to access, and let the script load those pages.
 
Joined
Jul 8, 2002
Messages
14,681
Just remember, a script like that will give anyone access to any file on your site.
This is quite a bit more secure. Just put all the files the user is allowed to view in a directory called "files"
PHP:
<? 
if (isset($_GET['page'])) 
{ 
  $file= str_replace('.','',$_GET['page']) . '.html'; 
  if (file_exists($file)) 
 { 
    include('/files/' . $file); 
  } 
else 
{ 
  include('./404.html'); 
 }  
}  
else  
{ 
  include('/files/main.html'); 
}
 
Joined
Mar 28, 2004
Messages
51
brendandonhu -- what if somebody had "../file.html" as the file? I know when you enter URLS into an address bar, site.com/folder/../file.html is the same as site.com/file.html. Would that happen on PHP to? If so, any file on the site could still be accessed.
 

SuperSquirel

Thread Starter
Joined
Apr 18, 2004
Messages
15
thats quite a useful security fix for the script, thanks. i had some admin pages on the site that were protected by cpanels directory protection, i never realised they could still be included without need of password.
 
Joined
Jul 8, 2002
Messages
14,681
No prob :)
It generally wouldn't allow access to protected pages, but theres still a possibility.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top