hello, i am about to ask several quiestions about:

how is link like: ..../index.php?page=1&sector=2 made ?

i thought about this and did something like this:



<?php
$p = &$_REQUEST['p'];
if (!file_exists("navigation/".$p.".php"))
{ include "main.php"; next;}
else
{ if (isset($p) && $p!='main') { include "navigation/".$p.".php"; }
else
{ include "main.php"; }
}
?>


and as a rool it works fine..
but i found as i thought a hole in this way of building page:

now what is that..: as you see all included files (which are filename.php) are kept in the FOLDER named NAVIGATION

and if someone will edit URL

http://somehostname.com/index.php?p=5 instead of this will type http://somehostname.com/navigation/filename.php the content of that page will be desplayed..

i checked such thing on several websites ... but none of them let me see that file (included file)
mybe i got wrong to use inclusion and desplaying pages dinamicaly?

or maybe there is no problem if someone can view that page outside of page ..... like
someurl.com/somefoldername/subfoldername/filename.php?


please give me some advice. thank you

If the content is allowed to be viewed, then I would say that there isn't a problem with them accessing the pages directly. If there was an issue with the content, in that you wanted it to be protected, then obscuring the location of the content, but making having it still public, is not a secure approach.

But why do you want to do this anyway? The reason that you see sites with complex urls is because of the underlying system. In fact there are a lot of efforts to make complex urls look simpler by the use of mod_rewrite for example.

What benefits do you see from purposefully obscuring the urls?

Cheers,

Paul

If you don't want someone accessing your included files you can:

- Move them out of your www root.
- Make them directly inaccessible (e.g. with htaccess).
- Internally check if they are being called directly or by a master script. If directly die out of the script.