PHP variable problem

software development

#1

I was thinking about cleaning up my website and using PHP in the next build so I could make the site a little more dynamic, however I ran into a problem with this code:

<?php
if ($page == 'home') { include("includes/home.php"); }
elseif ($page == 'news') { include("includes/news.php"); }
elseif ($page == 'community') { include("includes/community.php"); }
elseif ($page == 'resources') { include("includes/resources.php"); }
elseif ($page == 'store') { include("includes/store.php"); }
elseif ($page == 'tos') { include("includes/tos.php"); }
elseif ($page == 'error') { include("includes/error.php"); }
else { echo "General error.  You probably followed a bad link."; }
?>

When I get my site name in http://www.site.com/index.php?home
this comes up with my error " General error. You probably followed a bad link."

However if I use

[code]

<?php if ($page == NULL) { include("includes/intro.php"); } ?>

[code]

and then the script, everything works just as it should

I’m not sure what the problem is here. Any help would be greatly appreciated

Thankyou,
Taylor


#2

I’m still pretty new to the whole PHP game, but I think the error you’re getting is in regards to the variable being passed.

Try using [color=#CC0000]http://www.site.com/index.php?page=home[/color] as the link over. This will pass the $page variable as home and should bring up the include file desired.

================================
I’d give my right arm to be ambidexterous!


#3

Ramses is quite correct about how to pass the variable in a querystring; however, for maximum portability, may I recommend altering the script to make use of the special GET environment variable? Many PHP installs (including the installation of PHP5 at DreamHost) disable the automatic creation of local variables from form data. This alteration to the script will solve that problem, as well as making it easier to debug:

<?php switch($_GET['page']) { case "home": include("includes/home.php"); break; case "news": include("includes/news.php"); break; case "community": include("includes/community.php"); break; case "resources": include("includes/resources.php"); break; case "store": include("includes/store.php"); break; case "tos": include("includes/tos.php"); break; case "error": include("includes/error.php"); break; default: echo "General error. You probably followed a bad link."; } ?>---------------
Simon Jessey
Keystone Websites | si-blog


#4

Ah! thank you, scjessey. And I do like your method better of using the case event as well. I often wondered if there was another method other than the IF statement.

And I now see where the problems, I noticed you used $_GET, I took a look around to find the register_globals is shut off by default, otherwise my script should have worked.

Thanks again, to both of you.

Taylor


#5

Simon is one of the PHP wiz’s around here… If you’ve got a PHP problem, he can take care of it (in my past experiences anyway :slight_smile: )

================================
I’d give my right arm to be ambidexterous!


#6

Thank you, Ramses. That is very kind of you to say so; however, my knowledge of PHP could best be described as “intermediate level”, I think. I know just enough to do what I want to do. I’ve never been able to understand or use OOP either, which most serious programmers swear by.


Simon Jessey
Keystone Websites | si-blog


#7

I’ve never been able to understand or use OOP either, which most serious programmers swear by.

I’m in the process of wrapping my head around OOP currently. The main thing standing in my way of really understanding the concepts previously was the fact that I was trying to do it in PHP, in which OO support was tacked on as an afterthought at best. I’m finding it much easier to learn about it in the context of Java or Ruby, which are true OO languages. I’m still very much in the early stages but I already see the benefits.

I heard Rasmus Lerdorf, the creator of PHP, speak a few years back and he mentioned better OOP support in PHP 5 which “people seem to want for some reason”.


If you want useful replies, ask smart questions.


#8

First of all, let me apologize to the original poster for hijacking the thread - I believe the original question has been answered satisfactorily.

I first started coding in 1981, and the language-of-the-moment was BASIC (complete with line numbers). I gave it up after just a couple of years, but when I returned to it about 4 years ago, it took me a little while to get used to things like functions; nevertheless, the top-down procedural way of doing things was easy to grasp.

Object Oriented Programming is completely different. The comforting structure I have been used to seems to vanish, with much of the nitty gritty being hidden in obscure classes. I imagine that this is the way to go for larger projects, where code re-use is absolutely essential; however, for the server-side web development work I do, I think I can probably survive without it.

My wife, a JSP programmer, disagrees with me. She says I’m old fashioned in this regard (which is amusing to me, since she’s 18 years my senior!) and I need to get into OOP as soon as possible.

I suppose one day, all cars will come with joysticks instead of steering wheels. Sigh.


Simon Jessey
Keystone Websites | si-blog


#9

Wow, thanks Simon, I feel all nice and young now :slight_smile: I won’t mention how old I was in 1981 :slight_smile:

I’ve just picked up ‘programming’ as a hobby. I first started coding HTML in High School @ age 16 and I guess I kinda went from there. We did a little bit of Q-basic that year too, but HTML was always my first interest.
Sports ‘got in the way’ for a bit and my programming interests kinda fell by the wayside.
I’m now working in the internet business and have taken a serious interest in PHP. I’m teaching myself PHP (and SQL), with the help of Larry Ullman (writes some great books) in the hopes that I’ll be able to persue a small business in developing some online apps for small businesses in the town here.

Only time will tell I guess. :slight_smile:

================================
I’d give my right arm to be ambidexterous!


#10

The best way to concept oo is through java.
The way I learned it, was using a ready made framework, which was a TCP cChatting connection from one IP to another, and I used it to make a chatting program, was pretty simple since all the commands were given in the framework. That enabled me to learn how it was used and how easy it is to edit!
Object Oriented is the true way of programming. Reusibility and flexibilty and security are handled very nice.

Like why bother making a login script in php all the time. Just import the login class and ur all set! Make a login framework and thats all. Same thing for many areas, like CMS system.

To grasp OO is pretty difficult but once you start you will improve :slight_smile:


#11

Object Oriented is the true way of programming.

What about functional programming languages…


#12

Hey Taylor.

Simon’s solution is certainly suitable, however it seems needlessly complex. Might I suggest doing the following:

<?php $page = $_GET["page"]; include ("includes/$page.php"); ?>

PHP does interpret variables inside of strings delimited by double quotes, and I use this approach on all of my work without a hitch.

If you are concerned about people deliberately trying to enter invalid values for the page variable, you could simply define an array of valid pages and check it. You might also want a default page value in case someone just goes to your TLD:

<?php $defaultPage = "home"; $validPages = array("home", "news", "community", "resources", "store", "tos", "error"); $page = (isset($_GET["page"])? $_GET["page"] : $defaultPage); if(!in_array($page, $validPages)) $page = "errorPage"; include "includes/$page.php"; ?>

Then all you have to do is create errorPage.php to show some sort of error indicating that the user has entered an unrecognized value for the $page variable. Again we’ve eliminated the if statements (which are somewhat slow, and in this case unnecessary).

In the end it’s your decision how to implement it, and both of these approaches are satisfactory, but I just wanted to provide another alternative (probably since I’m partial to my own solution!). Hope that helps a bit.


#13

I wouldn’t have called it complex, although I’ll admit it was exceptionally verbose. I left it that way to make it look as transparent as possible.


Simon Jessey
Keystone Websites | si-blog


#14

Hey Simon,

Thanks for the reply! Just to be clear – I didn’t mean any offense to you, and complex was probably not the best word to use. I guess i meant visually complex, i.e. verbose, as you said.


#15

None taken. In fact, I think your solution is very elegant.

Personally, I prefer to create separate folders for major pages, all called index.php. That way, it is easy for me to switch from using PHP to HTML or JSP etc, and the server-side language is hidden from view. I don’t like passing variables around in full view of everyone unless I can’t avoid it.


Simon Jessey
Keystone Websites | si-blog


#16

I haven’t fully read this whole thread, but I’d like to comment here…

I need to say that my knowledge of PHP syntax is very limited. It does look like a lot of other languages so I can mostly read the code fine, but most of my direct PHP knowledge is of the ‘behind the scenes’ variety. From what I know, the first example here is bad for security reasons. That sort of thing is responsible for many of the most common PHP script exploits we see. If a would-be attacker sticks UNIX commands into the ‘page’ variable PHP will execute them and allow access to the server. I don’t know why PHP will execute UNIX commands in a context like that as it seems to make it extremely open to security holes.

The second method of specifying the pages you expect to see is MUCH more secure.

Please correct me if I don’t know what I’m talking about!

  • Dallas
  • DreamHost Head Honcho/Founder

#17

Dallas,

It is a serious security risk if there is a way for an attacker to specify the contents of the file being included. For instance, if your servers were configured with allow_url_fopen and I was using this code:

<? $page = $_GET["page"]; include "$page.php"; ?>

Then an attacker could specify a web server under his control, write whatever PHP code he wants to run, and include it by simply encoding the URL.

I certainly wouldn’t recommend allowing any user of a website to dictate arbitrarily what code is run, and I probably should have made that more clear, but even with the first example on this particular host there are two lines of defense against that type of attack.

It’s quite possible that you know something I don’t, though. If so, I’m all ears!

Cheers!


#18

you could do extensive error handling…
preg_replace
is_numerical
ect


#19

like instead of doing this:

<? $page = $_GET["page"]; include "$page.php"; ?>

you could do the following:

<? if( isset ($_GET["page"])) { if (is_numerical($_GET["page"])) { include "$page.php"; } else { echo "Page format is not a number , Please re-enter a valid numerical data"; } } ?>

but of course for that script you have to check for max pages and compare it with that :slight_smile: or u will have a wrong thing


#20

Right. But we were talking about including named files, not numbered files. Even still, though, there are lots of provisions you could take to prevent someone from being malicious. The one thing I think we can agree upon is that this code:

<? $page = $_GET["page"]; include "$page.php"; ?>

is insecure, because it allows too much control in the hands of an untrusted party.