Experts Round Table Network

Below is my attempt at using a template in developing websites.
I use Include to assemble the needed parts.


If i need to change the content of a section say body.php, I pass the necessary parameter(s) and  use the iframe tag like below:


What better way is there to get a similar system.

Thnx

You are rather over complicating the task by using an IFrame. Unless it's use is absolutely necessary, it can be replaced with the include function. For example:

mypage.php?content=myfile.php

Language: php (GeSHi-highlighted)
<?php
if (isset($_GET['content'])) {
 //validate $_GET['content']
 //if valid, include corresponding page
}
?>

When handling user input, it is essential to validate it. This includes data coming from both the query, and the HTTP post. Validation is especially important with something like this. Failure to do so, can result in an unnecessary security risk.

You need to ensure that users can only access the pages, that are intend to be accessed via the script. Doing so will prevent something like this from having any success: mypage.php?content=../../passwords.php.

If you are working with a minimal quantity of pages, you might take an approach like this:

Language: php (GeSHi-highlighted)
<?php
$valid_pages = array('page1','page2','page3','etc');
 
if (isset($_GET['content']) && in_array($_GET['content'],$valid_pages)) {
 include($_GET['content'].'.php');
}
else {
 include('default.php');
}
?>

If the content key exists within the GET superglobal array (ie. the query string), and it's value is present in our ($valid_pages) array, include the file - with the .php extension added to the end. If the content is not set, or it is not a valid page name, include default.php instead.

If you have too many pages for this approach to be practical, you might instead do something like this:

Language: php (GeSHi-highlighted)
<?php
$include_dir = $_SERVER['DOCUMENT_ROOT'].'/path/to/includes/';
 
$flag = (!empty($_GET['content']) && preg_match('/^\w+$/',$_GET['content'])) ? true : false;
 
if ($flag && is_dir($include_dir) && file_exists($include_dir.$_GET['content'].'.php')) {
 include($include_dir.$_GET['content'].'.php');
}
else {
 include('default.php');
}
?>

The specified directory ($include_dir) is where your include files are located, and should contain nothing but these files. We check that a valid filename has been submitted (ie. only characters a-z, A-Z, 0-9 and _), then we check that the specified directory exists. Finally we check that the file exists within that directory. If anything is amiss, we default to including default.php.

Note: the use of the boolean variable; $flag, is purely to simplify the code flow. It eliminates the need to have a very long if statement, or multiple if/else includes.

Using either approach, you will probably want to prevent your scripts from being accessed directly. You can do this using a .htaccess file (Apache only). This file will sit in the include file directory, and will contain the line: "Options -Indexes" (without the quotes). Direct access to these files will result in a 403 error. You can alternatively use a (less ideal) PHP approach, which we can look at if you wish.

That should give you something to work with as far as the content goes, let's take a quick look at the rest of the template. As the content is changed dynamically, using one of the methods discussed above, you can essentially have a single base file. For example:

<!-- header/navigation -->
<!-- left extended navigation -->
<!-- begin content holder -->

<?php
// PHP code for handling content
?>

<!--  end content holder -->
<!-- footer -->

You can of course split the headers/footers up into separate files if you wish, but it shouldn't be necessary, unless you are handling different types of content, or varied page structures. If you need help with something specific, please do ask.

Two final notes:

1) If you are currently using IFrames, purely for the scrolling effect, you can recreate this effect using a HTML division, and auto overflow, eg:

<div style="overflow: auto; width: 100%; height: 200px;">
<?php
//code for content handling
?>
</div>

2) You appear to be using tables for layout. Tables should only be used for tabular data, with CSS being used for layout. If you wish to find out more about this, you might consider opening a thread in the HTML section. There you will find someone who can better advise you on the matter.

Hi,

I just want to highlight an important point about this example and to back up on that it is only for example!  It will cause a DOS (denial of service) attack if you where to use this...:



I could easily replace myfile.php with mypage.php like:


 and straight away you have a infinite loop where mypage.php will load mypage.php and mypage.php again and after a few minutes the server will crash due to a DOS attack.

Sorry Diablo84 - this isn't a digg at you, its just i noticed you didn't highlight the risk within your example and a new PHP programmer such as thepreacher could easily fall into the trap and use your example...

a few years ago when i started coding PHP and somebody said this to me:



I probably wouldn't have listened to you... i would have though, hey i've just been given the framework so im going to use it...

Sean
(ellandrd)

Sean,

The two paragraphs following that particular line, were intended to explain the 'why', without going into too much detail about the 'what'. Nonetheless, I'm quite happy for you to emphasise the point :)

---

EDIT:

Original example modified, to remove the risk of a future copy & paste (and the resulting security risk).

thanks guys its been very educative :)