[captainsquid]

Hello, I am working on a site that will have content in different categories. Within the categories, there will be subjects. Within the subjects, there will be articles. I came up with this that will determine whether the article number, subject, or category was set. An example URL would be:

Code:

index.php?category=cats&subject=tails&article=tails suck

here is my logic (might be very bad):
Check if article was set ($_GET).
if it was, combine whatever was set for the category, subject, and article into a filename.php.
If it wasnt,
check wether a subject was set....etc..
here is what i have, but only the code above the script will show up in the browser.(only the header)

PHP Code:

<?php

      

$home = "home.php";

$footer = "footer.php";

$category = $_GET['category'];

$subject = $_GET['subject'];

$article = $_GET['article'];

$phpend = ".php";



function showfooter(){

    include ("$footer");

}

function checksub(){

    if(empty($subject)) {

    checkcat();

} elseif (isset($subject)){

    include ("$category$subject$phpend");

    showfooter();

    exit();

    }

}



function checkcat(){

    if(empty($category)) {

    include ("$home");

    showfooter();

} elseif (isset($category)){

    include ("$category$phpend");

    showfooter();

    exit();

    }

}



if(empty($article)) {

    checksub();

} elseif (isset($article)){

    include ("$category$subject$article$phpend");

    showfooter();

    exit();

    }

    

      

?>

How would i fix this? I was guessing syntax was the problem, but i check and rechecked...maybe my logic is just failing me today...did I use the exit(); command inappropriately? thanks in advance!

[Nico]

Take a look at this page: PHP: Variable scope - Manual

[captainsquid]

thanks, nico!
the problem was that the variables declared only worked on a general scale, and did not apply within the functions. i had to globally declare each variable in each funtion. other functions did not have to be declared within the funtions:

PHP Code:

$home = "home.php";

$footer = "footer.php";

$category = $_GET['category'];

$subject = $_GET['subject'];

$article = $_GET['article'];

$phpend = ".php";



function showfooter(){

    global $footer;

    include ("$footer");

}



function checksub(){

    global $subject;

    global $category;

    global $phpend;

    if(empty($subject)) {

    checkcat();

} elseif (isset($subject)){

    include ("$category$subject$phpend");

    showfooter();

    exit();

    }

}



function checkcat(){

    global $category;

    global $phpend;

    global $home;

    if(empty($category)) {

    include ("$home");

    showfooter();

} elseif (isset($category)){

    include ("$category$phpend");

    showfooter();

    exit();

    }

}



if(empty($article)) {

    checksub();

} elseif (isset($article)){

    include ("$category$subject$article$phpend");

    showfooter();

    exit();

    }

    

      

?> 

[infinitylimit]

You have a major security hole in your script. You must never use $_GET vars or any user submitted information without filtering it first. On top of that you then include that variable. Basically you wrote the equivalent of "do whatever you want my site" security hole.

To paint a clear picture, set $_GET['category'] = 'file of interest' and the others to null and you script without provocation will execute
include(whateveryouwant.php)

even with your phpEnd it doesn't help because someone can just as easily negate that if they know it's there.

understand that is an issue?

[captainsquid]

so, are you saying that i should set an array? I dont really understand what you mean by 'filter'. I do notice the security hole, and see how it could possibly lead to some leaked info... could you please show an example in which something terrible could happen? thanks...