PHP Question

[imported_LoKe]

I've seen many pages with a url like this :

http://mysite.com/index.php?db=bw

How would one go about getting that ?db=bw ?

Like...say I had a page called "guide.php"

On that page, I have two links. One link leads to a Malware guide, the other leads to a Firefox guide.

How would I get the firefox link to go to guide.php?g=firefox

Any help would be appreciated!

 

[Atheus]

PHP is a server-side programming language. It's not like HTML which is a client-side formatting language. Whole different world.

 

[imported_LoKe]

I know this.

 

[AdamSnow]

I'm not positive, but I think that has something to do with the way information is passed between two pages... GET, and POST or something like that...

?

 

[Hersh]

Assuming your host has php register_globals ON, if you have http://www.blah.com/?db=firefox

Inside index.php, you should have php code in it referencing variable $db as it is auto-initialized.

Now, if you do not know what to do from there (ie. showing different content depending upon the $db variable) THEN that is another issue of it's own and you need to learn how to program. Look up php switch statement (or simple if else statement syntax) to learn about how to use them.

 

[Atheus]

Originally posted by: LoKe
I know this.

Oh, sorry man, I thought you were asking what a php file is.

<?php

$var=$_GET[g];

if($var=="firefox") {
// grab the firefox guide, echo to screen
}
else if($var=="malware") {
// grab malware guide
}
else {
// error
}

?>

Is that what you wanted?



/edit: oops

 

[imported_LoKe]

That looks like what I need. Thanks!

EDIT : Seeing as how I'm a PHP newb, I don't really know what to do with this.

This is what I've got.

<?

$var=$_GET[g];

if($var=="firefox") {
echo 'malware.php';
}
else if($var=="malware") {
echo 'firefox.php';
}
else {
echo "Nope.";
}

?>

Problem is, I don't know what to do with it. What would I put in my link to the Firefox guide in order for this to work?

Please help the newb.

 

[imported_LoKe]

I got some coding alternatives from a friend, he's AFK so I can't ask him about it...but this is what he gave me :

<?
$section = $_GET['page'];

switch(strtolower($section))
{
case 'malware':
echo file_get_contents('malware.html');
break;
}
switch(strtolower($section))
{
case 'firefox';
echo file_get_contents('firefox.html');
break;
}
?>
<a href="guide.php?page=malware">Malware</a><br />
<a href="guide.php?page=firefox">Firefox</a>

But when I do this, the links for "Malware" and "Firefox" are at the bottom of each page.

My take on it...

<?
$section = $_GET['page'];

switch(strtolower($section))
{
case 'malware':
echo file_get_contents('malware.html');
$section2 = "notnull";
break;
}
switch(strtolower($section))
{
case 'firefox';
echo file_get_contents('firefox.html');
$section2 = "notnull";
break;
}
if ($section2 = "null") {
echo '<a href="guide.php?page=malware">Malware</a><br />';
echo '<a href="guide.php?page=firefox">Firefox</a>'; }
else {
}
?>

But the same thing happens. What's wrong with my "if" statement?

 

[Atheus]

Originally posted by: LoKe
What's wrong with my "if" statement?

Mostly the fact you used '=' instead of '=='. = is the assignment operator (like 'x=3' or 'let x equal 3'). == is the comparative operator (like 'if x==3' or 'is x equal to 3?').

It still won't work if you change the if statement though, as you didn't set the $section2 variable to the string "null" before you started. You might be able to go if($section2==null) without the speechmarks to indicate checking for a real null (that would work in C/Java anyhoo) but it's not the best way to do it.

How bout this:



<?php

$section = $_GET[page];

$section = strtolower($section);

if($section=="malware") {
echo file_get_contents('malware.html');
}
else if($section=="firefox") {
echo file_get_contents('firefox.html');
}
else {
echo '<html>';
echo '<body>';
echo '<a href="guide.php?page=malware">Malware</a><br />';
echo '<a href="guide.php?page=firefox">Firefox</a>';
echo '</body>';
echo '</html>';
}

?>

 

[imported_LoKe]

Since I was too stupid to figure out the problem with my if statement, I just used != and changed the parameters.

<?
$section = $_GET['page'];

switch(strtolower($section))
{
case 'malware':
echo file_get_contents('malware.html');
$section2 = "notnull";
break;
}
switch(strtolower($section))
{
case 'firefox';
echo file_get_contents('firefox.html');
$section2 = "notnull";
break;
}
if ($section2 != "notnull") {
echo "<h3 id='guide' title='The Guides'>The Guides</h3>";
echo "<p><strong>Please choose a guide:</strong></p>";
echo "<a href='guide.php?page=malware'>System Clean up</a><br />";
echo "<p>If you're looking to rid you system of all sorts of infections (Spyware, Adware, Viruses, Trojans, etc), this is the guide for you.</p>";
echo "<a href='guide.php?page=firefox'>Tweaking Firefox</a><br />";
echo "<p>Get the most out of Firefox with this ultimate tweaking guide!</p>";}
else {
}
?>

This works exactly the way I want it to. Thanks for all the help!

EDIT : I'm using your method instead, since it's a lot simpler to me. Thanks.

 

[Atheus]

Link me to your firefox tweaking guide when you're finished it, I'd like to get better performance out of the thing.

 

[kamper]

Originally posted by: alphaz
Assuming your host has php register_globals ON, if you have http://www.blah.com/?db=firefox

Inside index.php, you should have php code in it referencing variable $db as it is auto-initialized.

Now, if you do not know what to do from there (ie. showing different content depending upon the $db variable) THEN that is another issue of it's own and you need to learn how to program. Look up php switch statement (or simple if else statement syntax) to learn about how to use them.

Holy shite, that sounds like a huge security nightmare. So if some dope has register_globals on in his php setup, I can start influencing the values of variables in his scripts by guessing what they're called and appending parameters to urls that I request from him?

 

[kamper]

Edit: wow, totally just posted about google and government access to search data in this thread

 

[BigPete]

Originally posted by: kamper

Originally posted by: alphaz
Assuming your host has php register_globals ON, if you have http://www.blah.com/?db=firefox

Inside index.php, you should have php code in it referencing variable $db as it is auto-initialized.

Now, if you do not know what to do from there (ie. showing different content depending upon the $db variable) THEN that is another issue of it's own and you need to learn how to program. Look up php switch statement (or simple if else statement syntax) to learn about how to use them.

Holy shite, that sounds like a huge security nightmare. So if some dope has register_globals on in his php setup, I can start influencing the values of variables in his scripts by guessing what they're called and appending parameters to urls that I request from him?

No, because the person has to use the global variable $_GET[] in order to pull the variable from the URL. You cannot just go around sticking whatever you want in the URL and effect the script that way.

 

[sourceninja]

Originally posted by: BigPete

Originally posted by: kamper

Originally posted by: alphaz
Assuming your host has php register_globals ON, if you have http://www.blah.com/?db=firefox

Inside index.php, you should have php code in it referencing variable $db as it is auto-initialized.

Now, if you do not know what to do from there (ie. showing different content depending upon the $db variable) THEN that is another issue of it's own and you need to learn how to program. Look up php switch statement (or simple if else statement syntax) to learn about how to use them.

Holy shite, that sounds like a huge security nightmare. So if some dope has register_globals on in his php setup, I can start influencing the values of variables in his scripts by guessing what they're called and appending parameters to urls that I request from him?

No, because the person has to use the global variable $_GET[] in order to pull the variable from the URL. You cannot just go around sticking whatever you want in the URL and effect the script that way.

Thats not true. If register globals is turned on as the poster said you can just use $db to get the variable. But that said, no variable passed by post or get is secure. I can send my own. So ALWAYS validate your data to make sure it is not malicious.

However the problem with register_globals is that I can guess another variable

for example lets say I have this simple script which is not a real script but an example.

I have 3 variables $a, $b, and $c. Normally only $a is defined by the user (the client) $b and $c are stored in the program and should not be editable by the user. (Lets say $a is the amout of items I want to buy and $b is the price.

<?php

$a * $b = $c

echo "Your price is : " . $c;
?>

The normal call for this page is www.mypage.com/buyme.php?a=1 but I hand edit it to be www.mypage.com/buyme.php?a=1&b=0.

If register_globals is turned on (which it should never be turned on but a lot of idiot web hosts do turn it on) then this would cause my total to be 0. Which means I could buy product for no price. This is why you should NEVER EVER EVER use register globals and always use $_POST and $_GET.
?>

 

[Cheetah8799]

Originally posted by: sourceninja
If register_globals is turned on (which it should never be turned on but a lot of idiot web hosts do turn it on) then this would cause my total to be 0. Which means I could buy product for no price. This is why you should NEVER EVER EVER use register globals and always use $_POST and $_GET.

While you are correct about the register_globals being a security risk, a good programmer will have come up with other checks in their e-commerce system to verify that the price is correct before the final checkout. They also wouldn't use easy to guess variables which could be manipulated with the register_globals.


To the OP. I suggest you come up with some concepts/ideas that you'd like to try coding in PHP, then go from there. It'll help you learn PHP quicker and better rather than looking at random ideas and trying to figure it out.

 

[sourceninja]

Originally posted by: Cheetah8799

Originally posted by: sourceninja
If register_globals is turned on (which it should never be turned on but a lot of idiot web hosts do turn it on) then this would cause my total to be 0. Which means I could buy product for no price. This is why you should NEVER EVER EVER use register globals and always use $_POST and $_GET.

While you are correct about the register_globals being a security risk, a good programmer will have come up with other checks in their e-commerce system to verify that the price is correct before the final checkout. They also wouldn't use easy to guess variables which could be manipulated with the register_globals.


To the OP. I suggest you come up with some concepts/ideas that you'd like to try coding in PHP, then go from there. It'll help you learn PHP quicker and better rather than looking at random ideas and trying to figure it out.

Psst. I said that in my post. Well to be more percise I said "So ALWAYS validate your data to make sure it is not malicious. "

 

[SaturnX]

Originally posted by: sourceninja

Originally posted by: Cheetah8799

Originally posted by: sourceninja
If register_globals is turned on (which it should never be turned on but a lot of idiot web hosts do turn it on) then this would cause my total to be 0. Which means I could buy product for no price. This is why you should NEVER EVER EVER use register globals and always use $_POST and $_GET.

While you are correct about the register_globals being a security risk, a good programmer will have come up with other checks in their e-commerce system to verify that the price is correct before the final checkout. They also wouldn't use easy to guess variables which could be manipulated with the register_globals.


To the OP. I suggest you come up with some concepts/ideas that you'd like to try coding in PHP, then go from there. It'll help you learn PHP quicker and better rather than looking at random ideas and trying to figure it out.

Psst. I said that in my post. Well to be more percise I said "So ALWAYS validate your data to make sure it is not malicious. "

That or use sessions, it's even recommended by PHP.net to use sessions in place of passing values. It's exactly what I did when I wrote up my custom CMS for the admin portion. Locked it down on all aspects and validate all data.

--Mark

 

[sourceninja]

You can't use sessions to get form data. Its great for passing data inbetween pages, but doesn't help you protect form data. Form data should always be suspect. You should validate it to make sure it is within your contraints.

 

[mugs]

Originally posted by: kamper
Holy shite, that sounds like a huge security nightmare. So if some dope has register_globals on in his php setup, I can start influencing the values of variables in his scripts by guessing what they're called and appending parameters to urls that I request from him?

It is a security flaw, and it is turned off by default in versions of PHP >= 4.2 I believe. Which was a massive PITA if you did it the lazy way before, but ultimately it was for the better.

However, you can only really influence session variables and POST variables the way you describe. Any other variables would have something assigned to them before being used. Except I suppose a variable that holds a number that the programmer is adding to and assuming it starts at 0, or a string variable that the programmer is appending to and assuming it starts out as an empty string. But I always initialize those variables when I am doing that.

 

[kamper]

Originally posted by: Cheetah8799

Originally posted by: sourceninja
If register_globals is turned on (which it should never be turned on but a lot of idiot web hosts do turn it on) then this would cause my total to be 0. Which means I could buy product for no price. This is why you should NEVER EVER EVER use register globals and always use $_POST and $_GET.

While you are correct about the register_globals being a security risk, a good programmer will have come up with other checks in their e-commerce system to verify that the price is correct before the final checkout. They also wouldn't use easy to guess variables which could be manipulated with the register_globals.

Sure, but why even give yourself the chance to screw up? Letting random people from the web have any sort of access to stuff that you haven't explicitly defined is never a good thing. If anything, having to go to the extra trouble of retrieving GET and POST values is good because it highlights the difference between trusted and untrusted data. And if using hard to guess variables is your idea of security then...