Lets say that we had 200 content pages on our site. Now lets say we wanted to add a navigation link. We could go through every file and change it but that takes a lot of time and is very tedious. This is where dynamic inclusions come into play. They allow us to store our the page content in a separate file then have the content file be included in the content area of the layout.
II. The Concept
To help us better understand how dynamic inclusions work we are going to look at some example code.
<?php
echo "The sites header html code";
include($file);
echo "The sites footer html code";
?>
This is a basic example of how a dynamic inclusion works. The layout header html code is displayed. Then the file containing the content is included. Finally the footer html code is displayed. Now that you have a better understanding of dynamic inclusions we can move on to an improved version of the code.
III. The Code
The code we used above has some problems. It can be easily exploited allowing a user to execute malicious code on the server by providing the url of the malicious code on a remote server(ex: http://yoursite.com/index.php?file=http://theirsite.com/badcode.txt). The way we can correct this problem is by specifying a base directory for the include and making sure there are no occurrences of "http://" in the url. Now lets take a look at the code.
include(dirname(__FILIE__) . 'pages/');
/* It will look look for the file in the /pages/ directory */
echo "footer html code";
?>
Now save the code as index.php and place it in the root directory of your site. Now access the script by going to http://yoursite.com/index.php?file=contentpage.html. The script will look for the file in the /pages/ directory.
Posted by QauuvYvXuNefHFaMsWa (Unregistered) on Tuesday, November 4th @ 7:32am EST
