0

I usually use this code below to include the page that I need into the body of my website to include the page when clicking on a link.

<?php
        switch($_GET['page']){

            case '1':
            if(file_exists('main.php'))
            {
        include_once('main.php');
            break;
            }


            default:
        include_once('main.php');
            break;
            }
?>

but then I have to change this everytime i add a menu item by adding a case '2' ... etc and now my question can this be written shorter/dynamically so that i just can add a link without having to change the piece of code everywhere?

ps: i did made it a little bit shorter.. but its still not good enough i think..

i also want to add this: i get my links from a ini file. i place it in there like this:

[navigation] main.php = "Home"

if (!isset($_GET['page'])) {
      $_GET['page'] = 'main.php';

    }
    switch ($_GET['page']){
      case 'main.php':
      case 'about.php':
      case 'portfolio.php':
      case 'tips.php':
        $file = $_GET['page'];
        break;
      default:
        $file = '404.html';
    }
    include_once $file;

is it possible to get this too from the ini file?

Naftali
  • 144,921
  • 39
  • 244
  • 303
Reshad
  • 2,570
  • 8
  • 45
  • 86
  • of course! Just use some db file or db server – Sergii Stotskyi Jul 17 '12 at 10:52
  • hmm i prefer creating my links from ini file instead of the database.. but how should it work with db? – Reshad Jul 17 '12 at 10:54
  • You'll do well to sanitize the passed value, to be sure no one is forcing your script to include files they shouldn't. Something as simple as this `$_GET['page'] = str_replace( array('..', '/', '\' ), '', $_GET['page'] );` will remove \,/,.. and prevent some nefarious person from traversing your file system. – Patrick Moore Jul 23 '12 at 16:42

1 Answers1

1

Try this:

$page = isset($_GET['page']) ? $_GET['page'] : "main.php";
if( file_exists($page)) include($page);
else include("404.html");
Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • 1
    I'll post here as well just to be sure it's read: You'll do well to sanitize the passed value, to be sure no one is forcing your script to include files they shouldn't. Something as simple as this $page = str_replace( array('..', '/', '\' ), '', $page ); will remove \,/,.. and prevent some nefarious person from traversing your file system. – Patrick Moore Jul 23 '12 at 16:43
  • 1
    Looks like LFI waiting to happen – blockhead Jul 23 '12 at 16:45