I am having an issue using isset to display content on a page.
My PHP file is called messages.php
I am directing my users with links to this URL: messages.php?inbox using if(isset($_GET['inbox']))
{ } to display the users inbox. Same principle with the other users options such as compose message is: messages.php?compose again using isset
The only problem I have is that I cannot stop people from manually typing stuff like domain.com/messages.php or domain.com/messages.php?somethingrandom.
Is there a way to direct users to messages.php?inbox when they type in the address bar something that isnt assigned to isset?
I did try to use switch but couldnt seem to get it to work properly with how ive laid out my HTML.
An example of the whole file is here http://pastebin.com/SfqN2L7g
I am fairly new to PHP and think I may have gone down the complicated route.
Any advice would be appreciated.
Thanks
The answer you added already would work, but I usually like having an array of valid options which I could maybe check against later on.
$validPages = array('inbox', 'compose');
$pageFound = false;
foreach ($validPages as $validPage) {
if (isset($_GET[$validPage])) {
$pageFound = true;
break;
}
}
if (! $pageFound) {
header('Location: /messages.php?inbox');
}
Thanks to the help of Marcos PĂ©rez Gude, the answer is as follows:
if(isset($_GET['inbox']) || isset($_GET['compose'])){
//Then do below
}else{
header("Location: messages.php?inbox");
exit;
}
Related
I have this piece of code in PHP web app.
if (isset($require_admin) && $require_admin) {
if(!check_admin()) {
$toolContent_ErrorExists = $langCheckAdmin;
$errorMessagePath = "../../";
}
}
The normal behavior is that if the variable $require_admin is set and true,the code will check if the visit is by the admin.
I try to add a similar piece of code some lines below so as to make other things like checking for cross-origin(especially CSRF) requests.
if (isset($require_token) && $require_token) {
if( !checkToken( $mycsrf_token, $myform)) {
$toolContent_ErrorExists = $langCheckToken;
$errorMessagePath = "../../";
}
}
I had in mind that in this way i will have a check that the posted forms I get are valid and if no,there would be an error message.
However,when $require_token is set and true,and the condition is verified i have a very strange result.Not only nothing happens for the csrf validation,but the above function stops working properly and admin restriction stops to work.
I know the question maybe is ambiguous but I cannot get what's going on there.I'm not so experienced on web programming and totally new in PHP so maybe someone could have a better idea!
<?php
$sPage = $_GET["p"];
//echo ("You picked the page: " . $sPage);
if ($sPage == "") {
$sPage = "home.php";
}
include($sPage);
?>
It came from a php multipage website. I would like to write this same kind of code, but in javascript.
What does this code do?
http://www.tropicalteachers.com/web110/superduper/
this link is where the code came from, the php dynamic one
Okey so let's just start from the top to the bottom. I will try to explain shortly what each php thing does also incase you don't know PHP to well.
$sPage = $_GET["p"];
This code above is getting query parameters that you got in your URL, currently it's getting the query parameters "p" so for example if the url was http://localhost/index.php?p=hola the "$sPage" variable would hold the value "hola".
if($sPage == "") { $sPage = "home.php"; }
Short if statement checking if there was a query parameter with a value, if not we will set the variable value to "home.php"
include($sPage)
So this will litrally just take the file "home.php" in this case and include it in page. So anything that is in the file "home.php" will be displayed on the current page you are at.
To replicate this in javascript it would be similar to using ajax to fetch the content you wanna display. Below i will link to a tutorial that can explain how to accomplish that.
https://www.w3schools.com/jquery/jquery_ajax_load.asp
This doesn't help with the URL part, but that you can google yourself to with the correct termanology
So, I've been struggling with this for some time, but to no avail. My research didn't help much, either. Here it is: I built a test to prevent people to go to the alter page of an module by typing the address directly in the url without the id of the registry to be altered (therefore causing trouble in the DB). Simply put, it searches for the id passed as parameter in the url in the DB; if it has a match, it proceeds, if not, I redirect to the main module page with an error message passed via flashdata. I use a similar process to impede the insertion/alteration of registries if a field from a different table is not defined (as it is required in both in order to work, as the tables are related). A rough example of what I'm doing in the Controller is:
if(is_numeric($id)) $search=$this->model_foo->search($id);
else
{
$this->session->set_flashdata('error_message','not numeric');
redirect('myurl/index','refresh');
}
if($search->num_rows()==0)
{
$this->session->set_flashdata('error_message','not found');
redirect('myurl/index','refresh');
}
$search=$this->model_foo2->list();
if ($search->num_rows()==0)
{
$this->session->set_flashdata('error_message','other table empty');
redirect('myurl/index','refresh');
}
And my view (index) is like this:
<?php
$error=$this->session->flashdata('error_message');
$success=$this->session->flashdata('success_message'); /*success_message goes after a successful inset/update*/
if ($error!="")echo $error;
?>
So here is the issue: the success messages show up normally (I checked and double checked, they are being declared in the Controller the exact same way the error ones), as well as the 'not numeric' one, but not the 'not found' and 'other table empty' ones. I'm really confused by this one, since the flashdata seems to work in some instances and not in others, which is specially weird given the flashdata are being declared in pretty much the same way... =/ Sorry if I wasn't clear enough, this is my first post here, so (try to) be patient ;D Thanks in advance for any help in this matter.
EDIT: Found out the source of the issue. It was something with my browsers cache storage. Rebooted my machine and cleaned the cache and the output worked like a charm. Thanks for all the help.
So, i just improved your code a little bit so you can try and debug...
Controller:
$arr = array('error_message' => '');
if(!empty($id) && is_numeric($id)) {
$search=$this->model_foo->search($id);
if($search->num_rows()==0) {
$arr['error_message'] = 'not found';
} else {
$search=$this->model_foo2->list();
if ($search->num_rows()==0) {
$arr['error_message'] = 'other table empty';
}
}
} else {
$arr['error_message'] = 'not numeric';
}
$this->session->set_flashdata($arr);
redirect('myurl/index');
View (same):
<?php
$error=$this->session->flashdata('error_message');
$success=$this->session->flashdata('success_message'); /*success_message goes after a successful inset/update*/
if ($error!="")echo $error;
?>
Give a try with this and before check if the message appears, make sure the flashdata is set.
For instance, I have viewpost.php and it's set up as needed and I only need to change the content within divs in there.
For example, I'm going to have to do viewpost.php?id=1,2,3 etc. But should I do EVERYTHING off index.php using index.php?action=viewpost&id=1?
Then also, do I use if statements, or do I communicate with my database using those get requests?
Overall, I plan to use modrewrite anyway, but I am clueless on the proper way to set up loading multiple pages off one, or a few php files.
I have a template and I just need to fill it using database data.
Easiest way is something very basic like this (Not very secure though)
$page = $_GET["action"];
if($page == null)
{
$page = "main";
}
if (file_exists("content/$page.php"))
{
include ("content/$page.php");
}
else
{
include ("includes/404.php");
}
A better solution is to use something like http://www.smarty.net/ to handle templating and content loading. Slightly more complicated, but most likely worth the extra effort if you're doing anything beyond a very simple website.
index.php?action=viewpost&id=1 this code in index:
if(isset($_GET['action']) && isset($_GET['id']))
{
$id = $_GET['id'];
if($action == "viewpost")
{
// action is viewpost
if(!ctype_digit($id))
{
// id isnt digit
die();
}
else
{
// viewpost
include('viewpost.php');
}
}
viewpost.php could look like:
just to be sure nothing bad happens when going right to viewpost.php you could see in the url if viewpost.php exists, or just do the security here (!ctype_digit($_GET['id']))
// since its already been secured with !ctype_digit, we can run queries right away
$q_findPost = mysqli_query($mysqli, "SELECT * FROM posts WHERE id=$id");
$r = mysqli_fetch_assoc($q_findPost);
// div stuff
I want url's like index.php?showuser=512, index.php?shownews=317 for pages i get content from db... and for regular pages index.php?page=about and so on WITHOUT mod-rewrite.
Invision Power Board has urls like this. I have looked through their code but I can't figure out how they do it.
I could do it like this:
if (ctype_digit($_GET['shownews'])) include('shownews.php');
elseif (ctype_digit($_GET['showuser'])) include('showuser.php');
// regular pages
elseif ($_GET['page'] == 'about') include('about.php');
elseif ($_GET['page'] == 'help') include('help.php');
elseif ($_GET['page'] == 'login') include('login.php');
But this feels too messy.
Just curious how IPB does this. Is there a better way do to this? WITHOUT any mod-rewrite. Any one know? I doubt they do it like the above.
I can't do:
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) include('$_GET['page']');
Then I would get links like index.php?showuser&id=512 and that I dont like. (i know its not safe just showing the princip)
I like it this way, it's not the best but i like it so please be quiet about template engines, frameworks etc. Just be kind and answer my question... I just want to know how IPB does this.
Thanks
Tomek
I don't know how IPB does this, let's get that out of the way. But, this is how I would approach this problem:
First, I recognize that there are two kinds of GET parameters: page/identifier, and just page. These would get tested separately.
Second, I recognize that all all get parameters match their filenames sans the php-suffix, so we can use this to our advantage.
One of the most important things to remember is to never let GET-parameters affect our code unsanitized. In this case, we know which types of pages we can and want to show, so we can create a white-list out of these.
So, onto the pseudo-y dispatcher code:
$pagesWithId = array("shownews", "showuser", "showwhatever");
$justPages = array("about", "help", "login");
foreach ($pagesWithId as $page) {
if (isset($_GET[$page])) {
$id = (int)$_GET[$page];
include($page.'.php');
die();
}
}
if (in_array($_GET['page'], $justPages)) {
include($_GET['page'].'.php');
die();
}
// page not found
show404OrHandleOtherwise();
For pages you just use a simple array.
if (isset($pages[$_GET['page']])) include $pages[$_GET['page']];
For shownews=317 You could make a simple conversion in your app. Depending on how you want to prioritize page or shownews etc:
if (isset($pages[$_GET['page']])) {
include $pages[$_GET['page']];
} else {
$possiblePages = array_filter(array_intersect_key($_GET, $pagesWithId), 'ctype_digit');
if (!empty($possiblePages)) {
$id = reset($possiblePages);
$pageName = key($possiblePages);
$page = $pagesWithId[$pageName];
include $page;
} else {
//no valid pages
}
}
Note: page "names" are array keys, and the value is the path, file and extension to include. More customizable.