简单的 PHP 控制器，这段代码有问题吗？

发布于 2024-12-19 12:19:14 字数 978 浏览 0 评论 0原文

我正在尝试为一个小站点构建一个非常简单的 php 控制器页面。这是我到目前为止所拥有的。看起来效果不错。我这样做可能会遗漏任何问题吗？

$page = $_GET['p'];

switch ($page)
{
case "":
    ob_start();
    include "inc/home.php";
    $content = ob_get_contents();
    ob_end_clean();
    break;
case $page:
    $page = str_replace("/", "", $page);
    if (file_exists("inc/".$page.".php"))
    {
       ob_start();
       include "inc/".$page.".php";
       $content = ob_get_contents();
       ob_end_clean();
    }
    else
       include "inc/404.php";
    break;
}

include("inc/header.php");

echo $content;

include("inc/footer.php");

更新：这是基于注释的最终代码，效果很好。

<?php

$page = (isset( $_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home';

if( preg_match( '/[^a-z]/i', $page))
{
    $page = '404';
}

if( !file_exists( "inc/".$page.".php"))
{
    $page = '404';
}

ob_start();
include("inc/header.php");
include("inc/".$page.".php");
include("inc/footer.php");

?>

原文

I'm trying to build a really simple php controller page for a small site. Here is what I have so far. It seems to work well. Are there any issues I might be missing with doing it this way?

$page = $_GET['p'];

switch ($page)
{
case "":
    ob_start();
    include "inc/home.php";
    $content = ob_get_contents();
    ob_end_clean();
    break;
case $page:
    $page = str_replace("/", "", $page);
    if (file_exists("inc/".$page.".php"))
    {
       ob_start();
       include "inc/".$page.".php";
       $content = ob_get_contents();
       ob_end_clean();
    }
    else
       include "inc/404.php";
    break;
}

include("inc/header.php");

echo $content;

include("inc/footer.php");

UPDATE: Here is the final code based on comments that works well.

<?php

$page = (isset( $_GET['p']) && !empty($_GET['p'])) ? $_GET['p'] : 'home';

if( preg_match( '/[^a-z]/i', $page))
{
    $page = '404';
}

if( !file_exists( "inc/".$page.".php"))
{
    $page = '404';
}

ob_start();
include("inc/header.php");
include("inc/".$page.".php");
include("inc/footer.php");

?>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

万劫不复 2024-12-26 12:19:14

您的整个脚本可以重写如下：

$page = ( isset( $_GET['p']) && !empty( $_GET['p'])) ? $_GET['p'] : 'home';

// Only allow alphabetic characters in a user supplied page
if( preg_match( '/[^a-z]/i', $page))
{
    $page = '404';
}

if( !file_exists( "inc/".$page.".php"))
{
    $page = '404';
}

include("inc/header.php");
include("inc/".$page.".php");
include("inc/footer.php");

但是，这也不再容易受到本地文件包含的影响，因为 $page 仅限于字母字符，如果提交了其他内容，脚本将显示 404 页面。

它也更高效，因为它不使用输出缓冲。

Your entire script can be rewritten as follows:

$page = ( isset( $_GET['p']) && !empty( $_GET['p'])) ? $_GET['p'] : 'home';

// Only allow alphabetic characters in a user supplied page
if( preg_match( '/[^a-z]/i', $page))
{
    $page = '404';
}

if( !file_exists( "inc/".$page.".php"))
{
    $page = '404';
}

include("inc/header.php");
include("inc/".$page.".php");
include("inc/footer.php");

However, this is also no longer susceptible to Local File Inclusion, as $page is restricted to only alphabetic characters, and the script will show the 404 page if anything else is submitted.

It's also more efficient as its not using output buffering.

回复收藏 0 原文

~没有更多了~