getting an error when I run this script... PLEASE HELP 2

[sd0t1]

I'm using includes to create a template type page. Here is the code:

<?php
include ("template/head.php");
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
<tr>
<td valign="top" align="left" width="175">
<?php
include ("template/side_menu.php");
?></td>
<td width="1" valign="top"> </td>
<td valign="top">
<div id="content">
<?php
$main_body = $_GET['p'];
$main_body = mysql_real_escape_string($main_body);

if ($main_body = '')
{
include ("pages/default.php");
}
else
{
include ("pages/$main_body");
}
?>
<table width="100%" border="0" cellspacing="2" cellpadding="0">
<tr>
<td height="456">&nbsp;</td>
</tr>
</table>
</div>
</td>
<td width="1" valign="top"> </td>
</tr>
<tr>
<td valign="top" align="left"></td>
<td valign="top"></td>
<td valign="top">
<?php
include ("template/bottom_menu.php");
?>

However I keep getting this error, Please someone help me figure this out. My include path appears to be correct, but evidentially I'm missing something else.

Warning: main(pages/) [function.main]: failed to open stream: Permission denied in C:\AppServ\

http://www\psi\index.php

on line 37

Warning: main() [function.include]: Failed opening 'pages/' for inclusion (include_path='.;c:\php\includes; c:\appserv\

http://www\iw\includes;

c:\appserv\

http://www\psi\pages;')

in C:\AppServ\

http://www\psi\index.php

on line 37

 

[jpadie]

you might find this code works better. you are misusing the '=' (which is an assignment operator, NOT a comparison operator.

<?php include ("template/head.php");  ?> 
<table border="0" width="100%" cellspacing="0" cellpadding="2">
	<tr>
		<td valign="top" align="left" width="175">
			<?php include ("template/side_menu.php"); ?>
		</td>
		<td width="1"  valign="top">
			&nbsp;
		</td>
		<td valign="top">
			<div id="content">
<?php 
$main_body = empty($_GET['p']) ? 'default.php' : mysql_real_escape_string($_GET['p']);
?> 
				<table width="100%" border="0" cellspacing="2" cellpadding="0">
					<tr>
						<td height="456">
							&nbsp;
						</td>
					</tr>
				</table>
			</div>
		</td>
		<td width="1"  valign="top">   
			&nbsp;
		</td>
	</tr>
	<tr>
		<td valign="top" align="left">
			&nbsp;
		</td>
		<td  valign="top">
			&nbsp;
		</td>
		<td valign="top">
			<?php include ("template/bottom_menu.php"); ?>
		</td>
	</tr>
</table>

post back the error message you get with the fixed code, please?

 

[sd0t1]

Hi JPadie, I copied the code you wrote and I didn't get an error. But it didnt' display my default.php page either.

Can you explain this line for me please.

What does the '?' do?
Also, the ':'. What does it do?

$main_body = empty($_GET['p']) ? 'default.php' : mysql_real_escape_string($_GET['p']);

thanks for your help.

 

[Kozusnik]

It acts as a short-hand IF-THEN-ELSE statement.

IF (condition) ? THEN (do something) : ELSE (do something else)

So in your case...

IF there is something in the $_GET value of "p"
THEN $main_body = 'default.php'
ELSE it escapes the special characters in 'p' to use.

This won't work since if it's filled in, it will use default.php. It will only get to the ELSE if 'p' is blank, then the mysql_real_escape_string function will fail because it has nothing to parse.

Mark

 

[jpadie]

Mark, are you sure?? i used the empty() function, not the isset() function. so to my mind if there is nothing in $_GET['p'] or it is not set, then the variable is set to default.php, otherwise it is set to the relevant value.

to the OP: make sure that you have connected to the database first. otherwise mysql_real_escape_string() will fail.

but anyway, why are you using mysql_real_escape_string? this is not being used for data entry. i'd look at url_decode or something.

 

[Kozusnik]

My mistake. I looked quickly and probably expected isset. Thank you for catching that.

Sadly, I sometimes stare at my own code for several minutes to debug and overlook something simple like that.

Mark

 

[sd0t1]

Thanks JPadie and Mark.

Thats a cool 'short hand' if/then/else. I didn't know that.

To answer JPadie's question: I used mysql_escape_string because I thought I needed to escape anything a user can insert into the database. And I thought they could insert a malicious statement in the URL address using the 'p' variable.

Am I wrong?

by the way, your code worked great, I have no errors and my template is working fine.

 

[jpadie]

Hi,

the basic rule is that you should never TRUST user input. that's not the same thing as needing to escape it.

you need to escape data that is going to be used to write to a file (sometimes) or write to a database.

for this case, i would do something like this, which will provide an 'absolute' test against permitted files. what you are trying to prevent here is people putting things in like 'p=../../secretDirectory/verysecretfile.txt'. the code below creates an array of known permissible files.

$dh = opendir('./pages');
while (false !== ($file = readdir($dh))){
  if (is_file($file)) $permittedFiles[] = $file;
}
closedir($dh);
//we have a list of permitted files now.
//double test
$main_body = empty($_GET['p']) ? 'default.php' : (in_array($_GET['p'], $permittedFiles) ? $_GET['p'] : 'default.php);