You are rather over complicating the task by using an IFrame. Unless it's use is absolutely necessary, it can be replaced with the include function. For example:
mypage.php?content=myfile.php
Language: php (GeSHi-highlighted)
<?php
if (isset($_GET['content'])) {
//validate $_GET['content']
//if valid, include corresponding page
}
?>
When handling user input, it is
essential to validate it. This includes data coming from both the query, and the HTTP post. Validation is especially important with something like this. Failure to do so, can result in an unnecessary security risk.
You need to ensure that users can only access the pages, that are intend to be accessed via the script. Doing so will prevent something like this from having any success: mypage.php?content=../../passwords.php.
If you are working with a minimal quantity of pages, you might take an approach like this:
Language: php (GeSHi-highlighted)
<?php
$valid_pages = array('page1','page2','page3','etc');
if (isset($_GET['content']) && in_array($_GET['content'],$valid_pages)) {
include($_GET['content'].'.php');
}
else {
include('default.php');
}
?>
If the content key exists within the GET superglobal array (ie. the query string), and it's value is present in our ($valid_pages) array, include the file - with the .php extension added to the end. If the content is not set, or it is not a valid page name, include default.php instead.
If you have too many pages for this approach to be practical, you might instead do something like this:
Language: php (GeSHi-highlighted)
<?php
$include_dir = $_SERVER['DOCUMENT_ROOT'].'/path/to/includes/';
$flag = (!empty($_GET['content']) && preg_match('/^\w+$/',$_GET['content'])) ? true : false;
if ($flag && is_dir($include_dir) && file_exists($include_dir.$_GET['content'].'.php')) {
include($include_dir.$_GET['content'].'.php');
}
else {
include('default.php');
}
?>
The specified directory ($include_dir) is where your include files are located, and should contain nothing but these files. We check that a valid filename has been submitted (ie. only characters a-z, A-Z, 0-9 and _), then we check that the specified directory exists. Finally we check that the file exists within that directory. If anything is amiss, we default to including default.php.
Note: the use of the boolean variable; $flag, is purely to simplify the code flow. It eliminates the need to have a very long if statement, or multiple if/else includes.
Using either approach, you will probably want to prevent your scripts from being accessed directly. You can do this using a .htaccess file (Apache only). This file will sit in the include file directory, and will contain the line: "Options -Indexes" (without the quotes). Direct access to these files will result in a 403 error. You can alternatively use a (less ideal) PHP approach, which we can look at if you wish.
That should give you something to work with as far as the content goes, let's take a quick look at the rest of the template. As the content is changed dynamically, using one of the methods discussed above, you can essentially have a single base file. For example:
<!-- header/navigation -->
<!-- left extended navigation -->
<!-- begin content holder -->
<?php
// PHP code for handling content
?>
<!-- end content holder -->
<!-- footer -->
You can of course split the headers/footers up into separate files if you wish, but it shouldn't be necessary, unless you are handling different types of content, or varied page structures. If you need help with something specific, please do ask.
Two final notes:
1) If you are currently using IFrames, purely for the scrolling effect, you can recreate this effect using a HTML division, and auto overflow, eg:
<div style="overflow: auto; width: 100%; height: 200px;">
<?php
//code for content handling
?>
</div>
2) You appear to be using tables for layout. Tables should only be used for tabular data, with CSS being used for layout. If you wish to find out more about this, you might consider opening a thread in the HTML section. There you will find someone who can better advise you on the matter.
