Topic awaiting preservation: Entire site in one PHP script (Page 1 of 1)

I know it is possible to hold your entire site inside of one script, but how do you do it?

Ensellitis: I suspect you have either not phrased the question correctly or not grasp the issues.

There are CMS and WMS that help you centralise control over the content on your web site but they rarely run from one script.

___________________
Emps

The Emperor dot org | Justice for Pat Richard | FAQs: Emperor | Site Reviews | Reception Room

Here is what I am going for, except that I don't want it to use tabs, I want to use the links in my navagation (http://www.ensellitis.com/start.php) to load the content in the content area there:

<?php

/******************************

	

	Filename: index.php

	Created: December 12, 2002 

	Author: Brad Touesnard

	Copyright: Copyright © 2002 Zenutech.com



	Last Modified: 

	Last Modified By: 



 ******************************/

require("../tab_view.php");

?>

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">

<html>

<head>

<title>TabView Demo</title>



<link rel="stylesheet" href="../stylesheet.php" type="text/css">



</head>



<body bgcolor="#FFFFFF" text="#000000" link="#FF0000" 

alink="#FF0000" vlink="#FFCCCC" onLoad="javascript: window.self.focus();">



<table width="98%" cellpadding="0" cellspacing="0">

<tr>

	<td><img src="../../../../../images/spacer.gif" width="1" height="4"></td>

</tr>

<tr>

	<td>



		<?php

		$TabView = new TabView();



		$Tab =& $TabView->Add("1","Welcome","","","Welcome to the TabView Demo.");

		$Tab->Image = "../images/icon_fav.gif";



		$Tab =& $TabView->Add("2","Forms","","","Using forms with TabView.");

		$Tab->Image = "../images/edit.gif";



		$Tab =& $TabView->Add("3","Frames","","","Using frames with TabView.");

		$Tab->Image = "../images/book.gif";



		$Tab =& $TabView->Add("4","DHTML","","","This tab is DHTML enabled.");

		$Tab->Image = "../images/search.gif";

		$Tab->TabWidth = 100;	

		$Tab->ForceDHTML = true;

		$Tab->DHTML = "href=\"javascript: alert('Current Page: 

\\'#PAGE#\\'\\nCurrent Querystring: 

\\'#QUERYSTRING#\\'\\nThis tab #: \\'#TAB#\\'')\"";



		if ($_GET['color'] == "red") {

			$TabView->ImagePath = "../images/red";

			$TabView->QueryString .= "color=red&";

			$TabView->BackColor = "#FF6666";

			$TabView->SelectedBackColor = "#FF0000";

		}

		else {

			$TabView->ImagePath = "../images/blue";

		}

			

		$TabView->StartTab = "1";

		$TabView->Class = "tabviewDemo";

		if ($_GET['right'] == 1) {

			$TabView->Orientation = 1;

			$TabView->QueryString .= "right=1";

		}



		$TabView->Show();

		?>



	</td>

</tr>

<tr>

	<td>

		<table width="100%" border="1" bordercolor="

<?=$TabView->SelectedBackColor?>" cellpadding="8" cellspacing="0">		

		<tr>

			<td bgcolor="FAFAFA">

				<?php if ($TabView->TB == "2") { ?>

				

				<h4>Forms Demo</h4>

				<p>One of the most useful applications of TabView is to implement an incremental 

				form submissions. That is, instead of using one large form on a single page, TabView 

				allows you to split the form up between several pages.</p>

				<p><a href="forms/index.php">Click here to launch the forms demo.</a></p>

				

				<?php } elseif ($TabView->TB == "3") { ?>

				

				<h4>Frames Demo</h4>

				<p>TabView can be very useful when implemented with frames.</p>

				<p><a href="frames/index.php">Click here to launch the frames demo.</a></p>

				

				<?php } else { ?>

				

				<h4>Welcome to the TabView Demo,</h4>

				<p>This is a general demo of TabView, however there are many useful 

				applications of TabView.</p>			

				<p>Select one of the tabs above for demos of specific applications for TabView.</p>

				

				<p>

				<b>Change Tab Alignment:</b><br>

				<a href="?right=0&color=<?=$_GET['color']?>&TB=

<?=$_GET['TB']?>">

$TabView->Orientation = 0; (Left)</a><br>

				<a href="?right=1&color=<?=$_GET['color']?>&TB=

<?=$_GET['TB']?>">

$TabView->Orientation = 1; (Right)</a>

				</p>



				<p>

				<b>Change Tab Color:</b><br>

				<table cellpadding="4" cellspacing="0" border="1" bordercolor="#CCCCCC">

				<tr>

					<td><b>Red</b></td>

					<td>

						<a href="?right=<?=$_GET['right']?>&color=red&TB=<?=$_GET['TB']?>">

						$TabView->ImagePath = "../images/red";<br>

						$TabView->BackColor = "#FF6666";<br>

						$TabView->SelectedBackColor = "#FF0000";</a>

					</td>

				</tr>

				<tr>

					<td><b>Blue</b></td>

					<td>

						<a href="?right=<?=$_GET['right']?>&TB=<?=$_GET['TB']?>">

						$TabView->ImagePath = "../images/blue";<br>

						$TabView->BackColor = "#EEEEFF";<br>

						$TabView->SelectedBackColor = "#CCCCFF";</a>

					</td>

				</tr>

				</p>

				

				<?php } ?>

			</td>

		</tr>

		</table>

	</td>

</tr>

</table>

<br>

<edit>Don't like the horizontal scroll bar</edit>

(Edited by WarMage on 06-14-2004 02:35)

If anything, that confuses the issue further.

As Emperor said, you have either not worded your post well, or are not grasping the concept.
You need to clarify exactly what you want to do, what purpose you wish to di it for, and what part of it you are having trouble with....

Ensellitis: I'm guessing you are trying to adapt that script to fit your own needs - am I right?

If so you are probably better off starting from scratch as the whole process is prety simple and extr added fanciness can be added in later.

Basically you want to build a template driven site which dynamically draws in the content so have a look at this tutorial:

http://www.gurusnetwork.com/tutorial/php_templating/

You first need to think about how you are going to store your pages content. Is it in a database? Flat files? PHP files? You also want to work out how many sections you want, what your site sctructure will be, etc., etc.

All this does affect how the script will work.

Soooooo write down what you are planning and this should help you build a system which is felxible enough for your needs,

___________________
Emps

The Emperor dot org | Justice for Pat Richard | FAQs: Emperor | Site Reviews | Reception Room

Look at this page to see what I mean:
http://www.markwyner.com/index.php

See when you go to another section you are still at index.php?

Ensellitis: Your index.php can include the header, navigation and footer of the pages plus grab the id sent in GET ( or set it to "home" if it's undefined ) and include a file named id.body_content.htm. Where the files XXX.body_content.htm are just, as their extension suggest it, the body content of the pages. And voilà. Notice that the include handling the navigation can make use of the id to highlight the corresponding item.

Well, it's not necessary to use some includes for the header, navigation and footer, but it makes the index.php a bit cleaner.

Hope that helps. If it don't, please explain more precisely what gives you some problems, try to post an URL with your test + a link to view the sources.



(Edited by poi on 06-13-2004 07:53)

Ok, I think I figured it out...

<?
if($s=="gallery"){
include("gallery.html");
}
elseif($s=="about"){
include("about.html");
}
elseif($s=="contact"){
include("contact.html");
}
//if no page is defined
else{
include(news.php);
}
?>

http://www.gurusnetwork.com/tutorial/php_templates/

Seems I wrote a tutorial on just this concept. However I do not reccomend using it anymore, it tends to create a lot more clutter than it is worth.

It is much better to create you content files in appropriate directories and with a template as such.

<?php include($_SERVER['DOCUMENT_ROOT'] . "/path/to/header/file"); ?>

...

content

...

<?php include($_SERVER['DOCUMENT_ROOT'] . "/path/to/footer/file"); ?>

http://www.gurusnetwork.com/tutorial/php_templates_2/

This method works a whole lot better for search engines as well as makes it a whole lot easier to maintain. As the site you use this on gets large and larger the amount of thinking involved in keeping your data organized becomes greater and greater when using the include content by query string method. Big site overhalls become one hell of a problem.

The include content by query string method is useful for database based access where you would have something to the effect

"SELECT * FROM content WHERE page = " . $_GET['page'];

I like that idea much more... Thanks

Yes, that method is better than the posted example.

It is also the method that was suggested by two other people above

But to clarify, the posted example is very far from a "entire website in a single PHP script". It is basically just the reverse of the suggested method - the template file includes the cotent rather than the content including the template.

Yeah, but I had to find the script I was thinking of to see that it would really be a waste of time anyways... Now I see why templating will be much better...

Now to the task of getting it all done...

Thanks again for all the help guys and educating me. =D

quote:

---

Ensellitis said:

Ok, I think I figured it out... <?if($s=="gallery"){include("gallery.html");}elseif($s=="about"){include("about.html");}elseif($s=="contact"){include("contact.html");}//if no page is definedelse{include(news.php);}?>

---

Why bother doing this at all... you dont need all those statements...

you can just do include("$s.html")

if you keep your filing structure proper then you can expand it infinately, without ever having to change the php script.
The only if statement you would prolly have is
if($s == "")
//call the default page.
else
include("$s.html")

Of course if you want to do it completely safe, then do a quick check for the file you are grabbing on the server and make sure it exists, otherwise call the default document or return a custom error.

A current site im working on calls databaes tables based on the current URL using $PHP_Self, this way i dont need to use cases or heaps of if statments, and it make it expand easily..

H][RO: Just check to make sure you are not accepting query strings that might be like the following. ";SHOW%20TABLES;" or any other malformed expression which might allow the user access to the content.

The other problem is that I might be able to pass something like /etc/passwd which would allow me access to the MD5 hashed passwords which I could save and send through an MD5 cracking program to come up with username passwords for different accounts on the box. Any script that accepts user input and does any processing to it is a large security risk. Make sure that you safe guard the information access points as much as possible. Pass it through a regular expression to make sure it fits the correct format, do not allow any non-alpha numeric characters to be accepted into any script. Fail if inputs are too long. Hide the fact that you are using a script by using a rewrite engine to make you query string look like a url.

Ensellitis:Ok it makes a bit of echo to H][RO's post, but I rather thought to :

<?



if( !isset($_GET['id'] )

	// set the default value if need be

	$_GET['id'] = "home";



include( "header.php" );

include( "navigation.php" );



// write some safe guards here

include( $_GET['id'] .".bodycontent.htm" );



include( "footer.php" );



?>

You can add some safe guards to test if the requested file exists and all ( all includes to reject the ids with certain characters for security reasons ) , but this is your job. From what I see of your site, at the moment, I think there's no real need to use a database and a templating system except to gain some experience with them.

Yeh mage, its not a problem with how its done, since i am using the actual file name and formatting it how i need.

Thats for that part anyhow, the only problem could be with the queries i guess... What do you normally do to stop it, im guessing at the moment you could include something harmful in a query that it would use in the script. I have try putting in expressions to make it do something bad but it doesnt seem to do anything.

http://meridian.jtdesign.com.au/RacegearAndSafety.php?MenuItem=SPARCO_Gloves&ProdCell=Sparco04

Thats the link to one im working on, what would i have to put in to check if it has vulnerabilities?

http://meridian.jtdesign.com.au/RacegearAndSafety.php

?MenuItem=SPARCO_Gloves&ProdCell=Sparco04%41SHOW%20TABLES%41

If it screws up your query you have a vulnerability. I picked ;SHOW TABLES; as my example here, because it shouldn't be harmful. If your query is execute with something like that being excepted as a value you might have a problem.

To minimize potential damage make sure you have a separate account for separate databases. Make sure you never use the root or admin account to serve any data, if the queries are being executed I can potensially place a query that adds a new admin account to the system that can be connected to remotely. Also make sure the account you are using can only access your database locally. You don't want to accept queries from any remote location. This is only true for web site based DB, many applications will require you to offer remote connections, but never allow them for your web site's account. If you are a multi-tier setup webserver and DB server on different boxes make sure that you only accept DB connections from your web server.

I would run a regex something like /[a-zA-Z0-9_]*/ on both of your inputs, this would limit the values to only those that you use. The dangerous character to accept is the ; and also the % character because it can let me slide in the dangerous character via the hex code. The ; is what would end a query and start a new one.

Good luck,

H][RO said:

quote:

---

what would i have to put in to check if it has vulnerabilities?

---

Basically, check if there is some semicolons, slash, backslash, quotes, double quotes, ... before AND after urldecode()-ing ( and eventually utf8_decode()-ing too ) your query string.

Ok ill make sure to add the checking in then,

quote:

---

poi said:
... before AND after urldecode()-ing ( and eventually utf8_decode()-ing too ) your query string.

---

I'm not sure exactly what you mean, im using this sort of thing to get the variables from the URL

$varArray = array('MenuItem','ProdCell');



for($i = 0; $i < count($varArray); $i++)

        {

        if(!isset($_GET[$varArray[$i]]))

                {

                $$varArray[$i] = "";

                }

        else

                {

                $$varArray[$i] = $_GET[$varArray[$i]];

                }

        }

If they put semicolons etc in there, is it possible for them to execute their own serverside code even somewhere here? how can you stop that... i mean to check for semicolons you have to use the string your checking (if you know what i mean)

I havn't done much of this at all its definately a big weakness of mine.

In itself, puting a semicolon won't allow "them" to execute their own server side code ( unless you eval() the variables ). But, be carefull that by using the variables given by the users you don't provide them some vital informations nor give a mean to exploit a security hole ( like a simple buffer overflow or a ).

In the case of the code snippet I gave, it could be abused, like WarMage said, to get the content of /etc/passwd. In the case of a database driven site, it could be abused to execute some other queries.

If the way you use the variables is able to decode an url_encode()-d or utf8_encode()-d string, then, double your tests for semicolons, slashes etc... by doing them on the plain version of the variables AND on their decoded versions.

As a side note, you can make your code snippet a bit shorter ( damn! I can't help doing that ) :

$varArray = array( 'MenuItem', 'ProdCell' );

foreach( $varArray as $currentVariable )

	$$currentVariable = "". $_GET[ $currentVariable ];

well poi, but that *will* generate erros when debugging is turned on asd $_GET[$currentVariable] isn't set.

Plus, you should really first remove all other variables that might have been created by register_globals
by looking through the keys() of $_GET,$_POST,$_COOKIES and unsetting them (and don't forget those copies in $GLOBALS).

Tyberius Prime: yep, I thought about the warning generated by an error_reporting set to E_ALL. An @ is enough to avoid that. I don't get what you mean in your second sentence. Whatever, when I use/create a global variable in a project all the dev team members are aware of its name and use, so to avoid concurent names.

Ok thanks for that,

Hey poi whats the simple/shortest way to check for semicolons etc in the code i gave you?

Also, im still not sure what you mean by this "If the way you use the variables is able to decode an url_encode()-d or utf8_encode()-d string,"

The easiest way to check the presence of a semicolons is certainly the strpos().

I meant, something like the IIS Unicode bug for instance. The article named Be the hacker covers the subject of sensitive characters too.

Oh i c, i guess its easy to write a function to check the string for any characters you want using that.

I was thinking you would do it more with regex as warmage mentioned above, just not sure how! Hehe ill have to look into it, thanks for that.

poi: Many php servers use registerGlobals to register anything that comes in via post, get and cookies as a global variable.
You'll need to unset those to avoid certain kinds of attacks. (which of course would also be avoided by defensive coding).

Actually my site runs all from one index.php page. It's a bit more robust than just using includes however. In fact while I use includes I don't use these for html. All told I think with the admin screens there's about 20 different pages that run from that one index.php page.

Anyway it was meant to just be my own thing an more of an exercise than anything else. I probably wouldn't do it this way again.



.:[ Never resist a perfect moment ]:.

My site does a 'similar' thing, but i prefer the URL to be more meaningful without the variables at the end. So i have the page name SomePage.php which includes whatever flies it needs. For a set of different product pages these just include the product script, and a menu script so they are really just a shell.

This is the first time ive done this, its working out quite well. Doing it this way also allows you to do things without having to take paramenters, so instead of index.php?page=somePage, i just go somePage.php , then i trim the URL to 'somePage' which actually matches the tables ive set up in the database.

So far its working well, and its very easily expanded.

well... that just criess for mod_redirect, H[]RO.

Yeah in mine I actually have the code to make this work with mod_rewrite for search engine friendly URLs

You can actually still download the source code for my site at
http://www.bitdamaged.com/bitblog/



.:[ Never resist a perfect moment ]:.

(Edited by bitdamaged on 06-16-2004 18:34)

i think i have been through this before, but im on a windows server... so i dont have a htaccess file..

Or is this something different and im getting confused? I dont know how it would work though because it would point to a directory that doesnt exist and give a 404 error, without knowing it has to go through some code to rewrite the url?

This still confuses me ... anyone care to explain if it works a windows server and how? I read that mod rewrite page but now my head is humming =(

depends... if you're running an apache on windows, you don't have a problem. Just use .htaccess.
Otherwise, ie. if you're running IIS, google for 'iis mod_rewrite',though I only found commercial offerings on the first page.

Yeh i have looked at this a few times and from memory decided it simply wasn't worth it, and is a lot of work.

The only reason i would do it now is for security i guess - since the php pages get indexed perfectly with google etc anyhow.