Subscribe to Tutorial Feed

Flash and PHP Bible

The Flash and PHP Bible has been released! The book can be found on Amazon or wherever fine books are sold in your area.

The Flash and PHP Bible has a forum for quick support.

Scriptplayground » tutorials » php » PHP Navigation

PHP Navigation

How to code and understand a more secure navigation script. I am sure you have seen other navigation scripts the difference is those scripts open a security hole on your site, an SSI (Server Side Include) Exploit to be exact.

Here is an example of the dangerous code

<?php

if(!isset($_GET["url"])) 
	{
	$url = "home";
	}
else 
	{
	include ($url . "php");
	}

?>

The above code is saying if the variable "url" is set, include the page or include the predefined page. Now it seems like this is pretty secure, but someone would be able to include a malicious file.

Here is an example url: www.your navscript.com/index.php?url=http://www.maliciouscodesite.com/badcode

This would include the malicious code and your site would append the "php" extension to the include link.

I am sure you can see the problems with this result?



Here is the more secure option

<?php
$default = "home.php";
$allowed = array (
	'index',
	'example',
); 
if( isset( $_POST["P"] ) || isset( $_GET["P"] ))
	{
	$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];
	
	if( in_array( trim ( $page ), $allowed ))
		{
		$file = $page . ".php";
		if( (file_exists( $file )))
			{
			include( $file );
			}
		else
			{
			include( $default );
			}
		}
	else
		{
		include( $default );
		}
	}
else
	{
	include( $default );
	}
?>


$default = "home.php";

The default page that is included.



$allowed = array (
	'index',
	'example',
); 

This is the Array of allowed files, add as many as you need.



if( isset( $_POST['P'] ) || isset( $_GET['P'] ))
	{

If the "P" variable is set then continue with script, if it is false then include the default page.



$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];

Checks to see if the "P" variable has a value. If it does that value is set to the "$page" variable.



if( in_array( trim ( $page ), $allowed ))
	{

Check to see whether or not the value set in "$page" is in the list of "$allowed" Array. The "trim" part removes extra spaces that might exist in the array.



$file = $page . ".php";

Sets the value of $file to the filename you are requesting and appends the ".php" extension.



if( (file_exists( $file )))
	{
	include( $file );
	}

If the file exists then include the file( "$file" ).



else
	{
	include( $default );
	}

If the file is in the Array, but the file is not found include the default file.



else
	{
	include( $default );
	}
}

If the file requested doesn't exist in the Array include the default file.



else
	{
	include( $default );
	}

If no request for a page is made include the default one.



That is the end of the script. Now you have created a more secure alternative for a site with PHP navigation. Just fill in the array with your files and you are ready to go. If you wanted to add to the script you could add a file type checker as well.

Follow Scriptplayground on Twitter (@scriptplay)

Comments: PHP Navigation

 Stefan  Tue Jan 3, 2006 2:01 pm  
Awesome tutorial. I already knew this, but it's still good.
 p2p  Thu Jul 13, 2006 1:07 pm  
whr do i put this code? on navigation or on top of the page? or where? I am so confused with this php navigation thing... :mad
 Matthew Keefe  Thu Jul 13, 2006 1:12 pm  
You place this code at the top of the page where you would like the HTML to be loaded. You can also place it at any other point where you would want the page loaded. When I used this method I would have one PHP file that loads in a header and footer. Then between those I loaded this navigation script.
 php manual  Sat Jan 27, 2007 2:58 am  
good article,thanks
 abdullah  Thu Jan 31, 2008 1:40 pm  
Evinde, ev ortamında
2 saat boş vaktin varsa bu iş senin işin hiš masrafsız internetten para kazanmak artık šok kolay 7 ayda 480 ytl kazan internetten para kazanmak zamanı

 rick james  Tue Feb 5, 2008 4:03 pm  
Really clear and concise! Many thanks, keep up the good work.
 Robert Popplewell  Sun Mar 16, 2008 6:21 am  
In the line where you are filling the $page variable with POST or GET data:

$page = ( $_POST["P"] ) || isset( $_GET["P"] );

Should the isset function be used at this point? seeing as it only returns a TRUE or FALSE value.
 mkeefe  Sun Mar 16, 2008 10:07 am  
@Robert, good point, it doesn't seem to be on the correct line. Actually, it is duplicated for some strange reason. it should simply be:

$page = isset($_GET["P"]) ? $_GET["P"] : $_POST["P"];

I will have that fixed right now.

Thanks,
Matt
 Bas  Mon Apr 14, 2008 3:53 am  
Whenever I make use of the querystring ($_GET["..."] ) I run it through a function that encrypts/decrypts it. Even though the encrypted querystring can still be tampered with, you will be an unguided missile without the alogrithm.
 mkeefe  Mon Apr 14, 2008 4:01 am  
@Bas, That is a good tip. Whenever possible it is a good idea to limit what goes across the url, as a good secondary, try using an ID that matches some database parameters or session variables.
 Busby SEO Challenge  Sat Aug 2, 2008 8:38 pm  
This is a Great Example to be used on CMS websites. The problem of using get for the page is the SEO. It's not good for search engine but you can use htaccess to make it Search Engine Friendly URL.
 Matti  Mon Jan 26, 2009 9:35 pm  
Hi. How to make this search for files in a folder above the current folder? I have all my sub pages in 'pages' folder. I tried to change the line: $file = $page . ".php"; but i dont know how to write the path correctly. Any help would be appreciated!
 mkeefe  Tue Jan 27, 2009 7:59 am  
@Matti - If you want to load content from another directory you can add in the full url such as:

/path/on/server/httpdocs/dir/

or you can use: ../

Hope this helps.

Matt
 Guest  Wed Oct 21, 2009 4:53 am  
$site_rul = "http://$url/nav.php";



?>

I am getting this:

Parse error: syntax error, unexpected '=' in /homepages/3/d238287136/htdocs/oficinadeempleos/conn.php on line 11

Please comment

Thanks

Alex
 mkeefe  Wed Oct 21, 2009 5:27 am  
@Guest - While I can't see most of the script provided I assume you have an un-escaped character on line 11, such as a quote or dollar-sign.
 textureplus  Sat May 29, 2010 8:34 pm  
thanks realy great tutorial!
 Lover  Mon Jul 19, 2010 5:20 am  
Nice! This is what im looking for. Thanks!
 cihip  Thu Sep 16, 2010 12:35 am  
PHP Navigation code for thanx.
 Singles Events NYC  Wed Nov 3, 2010 5:53 pm  
This navigation code can be used on dynamic websites too. I have tested it out.
 mkeefe  Tue Nov 9, 2010 4:57 am  
Glad the tutorial helped you. I have used it in numerous projects.
 Sam  Sat Sep 24, 2011 12:30 pm  
can you post a working directory? I need to see how the different pages interact with each other
Add a comment
The ability to add new comments has been disabled in this archived version.

Loading
Main | Tutorials | Articles