0

I have a simple if statement that works on my local machine but when i uploaded it tom ypaid site i got an error on my home page.

Error:

Warning: include(./pages/.php) [function.include]: failed to open stream: No such file or directory in /home/a5410474/public_html/index.php on line 33
Warning: include() [function.include]: Failed opening './pages/.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/a5410474/public_html/index.php on line 33

The Code:

<?php
    if (isset($_GET['p']) && $_GET['p'] != NULL || $_GET['p'] != '') {
        $p = mysql_real_escape_string($_GET['p']);
    }elseif ($_GET['p'] == '' || $_GET['p'] == NULL){
        $p = 'home';
    }
include("./pages/".$p.".php");
?>
Improve this question
1
  • You will want to filter the $p variable to make sure it doesn't include something like ../../../../usr/share/php/something. You probably only want letters. An even better approach is to keep an array of valid files that actually exist in ./pages and check the input value against it. Commented Aug 5, 2011 at 3:10

4 Answers 4

Reset to default
4

Instead of OR, you need AND here, also enclose the second half in parens.

if (isset($_GET['p']) && $_GET['p'] != NULL || $_GET['p'] != '') {

// should be
if (isset($_GET['p']) && ($_GET['p'] != NULL && $_GET['p'] != '')) {

You have no else case, and it's likely the value being passed into `$_GET['p'] meets neither condition.

It would be better to write it like this, using empty()

if (isset($_GET['p']) && !empty($_GET['p']) {
  $p = mysql_real_escape_string($_GET['p']);
}
else $p = 'home';
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You do not need to use both isset and empty, as empty calls isset itself.
3

A much less verbose way of writing this:

$p = empty($_GET['p']) ? 'home' : $_GET['p'];
include("./pages/{$p}.php");

Some other notes:

  1. You should not be using mysql_real_escape_string on a variable you're going to pass to include. That function is for preparing data for insertion into a SQL query.

  2. You should not include a file based on a variable passed through the query string, or from any kind of user input. Someone can use that to read system files on your server then take control of the whole computer.

Improve this answer

Comments

1

You should be more aware of directory traversing, sanitize user input, and make sure the file is even there. (re: your errors):

<?php
if (isset($_GET['p'])) {
    $p = preg_replace('/[^a-zA-Z0-9_]/s', '', $_GET['p']);
} else {
    $p = 'home';
}
$path = "./pages/" . $p . ".php";

if (file_exists($path) === true) {
    include $path;
} else {
    include './pages/notfound.php';
}
Improve this answer

2 Comments

i tried this and it threw off my layout somehow... didnt work.
in your pages eg: home.php are you including raw html or php that echos any html or are you enclosing output within a variable?
-1

You can also try this:

<?php
    $p = 'home';
    if (!empty($_GET['p']))
        $p = $_GET['p'];       
    include("./pages/".$p.".php")
?>
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.