Hey there again.
Sorry to be a pain!

I'm trying to get my contact.php to be able to have id=2, i.e. page.php?p=contact&id=2.

I've managed to get it to work partially, I've put the HTML for the staff info in "staffinfo" directory as 1.html all through to 11.html.

My contact.php:


<?php
if (!eregi("page.php", $_SERVER['PHP_SELF'])) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

$GET['id'];
$info = "/staffinfo/".$id.".html";
include($info);
?>

<div align="center">
..
<br /></div>

<?php
include("footer.php");
?>


I'm receiving the errors though:

Warning: main(/staffinfo/.html): failed to open stream: No such file or directory in /home/LAN/public_html/contact.php on line 11

Warning: main(): Failed opening '/staffinfo/.html' for inclusion (include_path='.:/usr/local/lib/php') in /home/LAN/public_html/contact.php on line 11

I want it to only get the staff info id the id is used, as it seems it wants to get it straight away.
Any help on this is much appreciated.


UPDATE: Tried using full path so i used:

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

with same affect.

Try this:

if (isset($GET['id'])) {
$id = $GET['id'];
$info = "/staffinfo/".$id.".html";
include($info);
}

pyro, thanks.
That squashed the errors, but now the staff information won't load.
It just has the static info that is on contact.php (the stuff I posted within the <div align="center"> etc, the staff info won't load.
Hmm..

Are you sure the page existes? For instance, if this is your url: page.php?id=foo it will try to include /staffinfo/foo.html.

Yep, it's page.php?p=contact

then the ID's are like page.php?p=contact&id=2

in staffinfo there is 1.html, 2.html all thorugh to 11.html..

Any error messages or anything? Might want to try using a root path for the include...

Exact same, no errors, just doesn't load it - it "flashes" as if it's reloading - but doesnt show anything..

I tried the full path, but the same:

so:


<?php
if (!eregi("page.php", $_SERVER['PHP_SELF'])) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (isset($GET['id'])) {

$id = $GET['id'];

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

include($info);

}
?>

<div align="center">
our stafflist html here.
<br /></div>

<?php
include("footer.php");
?>


A "ls" from /home/LAN/public_html

$ ls staffinfo
1.html 11.html 3.html 5.html 7.html 9.html
10.html 2.html 4.html 6.html 8.html

Cripes... I must need more sleep. :rolleyes:

I bet this will work a heckuva lot better for you:

if (isset($_GET['id'])) {

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

include($info);

}Sorry 'bout that... (forgot the _ in $_GET)

yessssssssss - thank you so much! :D

Sure thing... :)

pyro last qus on this, sorry.
How can I get the staff list to disappear and *only* show the staff details, as at the moment it is listing the staff list underneath...

Also, I've changed the code a little so that an error is echoed if an ID is given that doesn't exist.
So we've got now:


<?php
if (!eregi("page.php", $_SERVER['PHP_SELF'])) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (isset($_GET['id'])) {

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

if (file_exists($info)) {
include ($info);
} else {
echo "Sorry, that ID does not exist. Please try again.";
}

}
?>

<div align="center">
staff list...
<br /></div>

<?php
include("footer.php");
?>


Could you give that a look over, do you also think the code is pretty secure/OK?
Thanks.

Just wrap the content in an else, corresponding to this if:

if (isset($_GET['id'])) {

Also, for what you are doing, it should be fine, security wise. No gaping holes, and you aren't doing anything that people couldn't just get anyway.

:confused:

Like this?


<?php
if (!eregi("page.php", $_SERVER['PHP_SELF'])) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (isset($_GET['id'])) {

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

if (file_exists($info)) {
include ($info);
} else {
echo "Sorry, that ID does not exist. Please try again.";
}

}

else {
?>

<div align="center">
staff list...
<br /></div>

<?php
}
?>

<?php
include("footer.php");
?>

<?php
if (!eregi("page.php", $_SERVER['PHP_SELF'])) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (isset($_GET['id'])) {

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/".$id.".html";

if (file_exists($info)) {
include ($info);
} else {
echo "Sorry, that ID does not exist. Please try again.";
}

}
else {
?>

<div align="center">
staff list...
<br /></div>

<?php
}
include("footer.php");
?>

ack just posted the same time :D - i'll go with yours hehehe thanks

Sure thing. :)

sorry - i must be getting on your nerves!
That final:


<?php
}
include("footer.php");
?>


is it better like that than a seperate
<?php
}
?>

Thanks a lot pyro - hope you can help me on my other post too about all in one page :)
My savior tonight! thanks :D

Yes, IMO it is better not to be getting in and out of PHP for no reason. If you have PHP code followed by more code, just group it all together into one snippet.

Okie thanks -
Lastly! ;)


Someone I just showed the code to on MSN said:
" you should use if(!empty instead of if(isset because your code will allow and empty ID. and you should probable get rid of eregi, because that can be done without a regexp (please correct me if i'm wrong). additionally you might want to show the footer before you let the script die. for instance: echo "bad boy, you are not allowed to do that"; include("footer.php"); exit;"
:confused: :confused:

I answered that in the other thread: http://forums.webdeveloper.com/showthread.php?s=&threadid=22457

sorry pyro yes, I realised I added that onto the wrong thread and it applied to this one.

Thanks a million for this.
I'll buy you a beer next time you're in the UK :p

Hi again.

With regard to your reply to those "questions" on the other post, how would that ultimately change the code I already have, and what did you think of the other thread I had with that code, and suggestions for that?

Thank you very much!

Originally posted by pyro
<?php
if (strstr($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (isset($_GET['id'])) {

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/$id.html";

if (file_exists($info)) {
include ($info);
} else {
echo "Sorry, that staff ID does not exist. Please try again.";
}

}
else {
?>

Staff list here.

<?php
}
include("footer.php");
?>

With this one pyro, shouldn't we use something like:

$id = intval($_GET['id']);
or even if (!is_numeric($_GET['id'])) { die('Incorrect ID.'); } as apparantly this doesnt limit that it's *just* that dir.
:confused:

Thanks.

What do you think about them all pyro, and how about that thing for contact.php?

Your help is much appreciated.

Yes, you could check if it is numeric, allowing them to only pass numbers, or, you could check for a / so they can't change directories. Depends what you need.

Hey pyro, hope you're okay:)
Well, just basically to secure it a little, i..e that it can *only* open files within that staffinfo directory, and they must be a [numeric].html. Is that poss?
Also what did you think of the post where I pasted all the new php, after the changes over the last few days?
Thanks very much pyro.

Edit1 - the thread with all the php pasted is the "All within one page" on page 3 , the last thread. :) Thanks.

Hi pyro, it would seem that I do need the "!"'s on the pages (except for header/footer) as when they're loaded, even with page.php?p=page they say they cannot be accessed directly. It seems only header/footer don't need the "!", the others do, correct?


<?php
if (!strstr($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");
?>


If you can help me with the last few posts within this thread it'd be much appreciated. Thanks again pyro, and sorry to make this drag.

Originally posted by skydan
and they must be a [numeric].html. Is that poss?Yes, you posted it yourself:

if (!is_numeric($_GET['id'])) { die('Incorrect ID.'); }

As far as whether the ! is needed, I think I misunderstood which page you were passing as the second paramater. Just use what works. ;)

Also, if you want to optimize it a bit, I mistakenly told you to use strstr(), when the less memory intensive function would be
strpos() (http://us4.php.net/manual/en/function.strpos.php). Sorry 'bout that...

Hey pyro. Thanks.

Would contact.php look like this then?


<?php
if (!strstr($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

if (!is_numeric($_GET['id'])) { die('Incorrect ID.'); }

$id = $_GET['id'];

$info = "/home/LAN/public_html/staffinfo/$id.html";

if (file_exists($info)) {
include ($info);
} else {
echo "Sorry, that staff ID does not exist. Please try again.";
}

}
else {
?>

Staff List

<?php
}
include("footer.php");
?>


Would that also make sure they *only* load files within that 'staffinfo' directory?

Lastly, would that mean - using the strpos() the pages would have:


<?php
if (!strpos($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");
?>


Basically, all the other pages (except header.php and footer.php) must be loaded with page.php, i.e. page.php?p=contact for contact.php, if they're loaded directly, that error will occur. If header.php/fotoer.php are loaded directly, they are loaded with index.php instead.
Is that correct how I've done all that?
Thanks pyro!!!

Everything looks good, except that first bit. Looks like you've got an else that's not accounted for. The last else has no open if statement to follow...

Hey pyro thanks.

Haven't actually changed any of the elses, doesn't that last just make it display the staff list as the "}" close is in the bottom <?php ..

Was I correct with that strpos then? :)

Ta.

It looks like this is the problematic line:

if (!is_numeric($_GET['id'])) { die('Incorrect ID.'); }

This might be better:

if (is_numeric($_GET['id'])) {

Also, yes, it looks like you used strpos correctly. :)

Ah yes, wonderful thanks pyro.

Would this be better to use for contact.php though, I've probably done it entirely wrong, but is this a more secure method?


<?php
if (!strpos($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");

$allowed = array('1.html','2.html','3.html','4.html','5.html','6.html','7.html','8.html','9.html','10.html','11 .html');
if (empty($_GET['id'])) {
include('/home/LAN/public_html/' . $allowed['1.html']);
} else {
if (!is_numeric($_GET['id'])) { die('Incorrect ID.'); }
if (in_array($_GET['id'], $allowed)) {
include('/home/LAN/public_html/staffinfo/' . $allowed[$_GET['id']]);
} else {
echo 'Sorry, that staff ID does not exist. Please try again.';
exit;
}
}
?>

Staff List

<?php
}
include("footer.php");
?>


Also with this strpos, the pages with page.php to load them need the "!" - so:


<?php
if (!strpos($_SERVER['PHP_SELF'], "page.php")) {
die ("Sorry, You cannot access this file directly...");
}

$index = 0;
include("header.php");
?>


and would header.php/footer.php remain the same without the "!" so i.e. for header.php:


<?php
if (strpos($_SERVER['PHP_SELF'], "header.php")) {
header("Location: index.php");
die();
}

session_start();
$header = 1;
?>


Thanks.

Yes, using an array like that is probably one of the most secure methods of doing this, as users will only be able to load the files that you explicitly set.

Thought so, thanks. was it correct how I did it?

Well, I would have done it a bit differently. ;)

I would simply pass the array index, and then use that variable to insert the page. That would allow you to get rid of some the if statements you've got going there... :)

pyro your ideas/edits are always much much appreciated, i'm not brill at this stuff - and find it very difficult, but I try..
If you can see what I should get rid of/add/change then your changes are extremely welcome and invited - i thank you for all your support in this thread :) it's much appreciated.
Basically, I just want that whenever contact is called (via page.php?p=contact) I can use &id=1 and that would call 1.html from /home/LAN/public_html/staffinfo/1.html and only use the .html files in tehre, and only be able to access files within that directory. That's my aim anyway :)

Any idea pyro please ? :)
Thanks.

Ideas on what? I thought we had acheived that...?

Ohh sorry, maybe I misunderstood when you said this...

Originally posted by pyro
Well, I would have done it a bit differently. ;)

I would simply pass the array index, and then use that variable to insert the page. That would allow you to get rid of some the if statements you've got going there... :)

I replied:


pyro your ideas/edits are always much much appreciated, i'm not brill at this stuff - and find it very difficult, but I try..
If you can see what I should get rid of/add/change then your changes are extremely welcome and invited - i thank you for all your support in this thread it's much appreciated.
Basically, I just want that whenever contact is called (via page.php?p=contact) I can use &id=1 and that would call 1.html from /home/LAN/public_html/staffinfo/1.html and only use the .html files in tehre, and only be able to access files within that directory. That's my aim anyway :)

Still cannot get this to work...
Any help is much appreciated and your comments regarding all the code i've posted :)

Many thanks again.