[RESOLVED] Dynamic <title></title> tags?

Pikachu2000

I have website in which I use the following format in the index.php file:

<html>
<head>
<title>(Site title text to be made dynamic?)</title>
</head>
<body>
<?php
if(empty($_GET['page_id']))
{
	$page_id = "main.php";
}
else
{
	$page_id = $_GET['page_id'];
}
include('header.php');
include("$page_id");
include('footer.php');
?>
</body>
</html>

The obvious problem being that every page uses the same title tag. I'm having a brainfart trying to come up with a way to make the <title></title> tag dynamic. Using a switch or else/if statement wouldn't really be feasible due to the length involved. I'd prefer not to set up a MySQL database just to hold the <title></title> tag content.

All of the content links are in the header.php file, and the $page_id variable is passed with $_GET. Any ideas? FWIW, the php files included by the $page_id variable are all in this format (the <table> tag is closed in footer.php):

<table>
<tr>
<td>&nbsp;</td>
<td>
<!-- PAGE CONTENT STARTS HERE -->

<!-- PAGE CONTENT ENDS HERE -->
</td>
<td>&nbsp;</td>
</tr>

Is it possible to use the first x number of words or characters after the first html comment tag, or do I have this just fundamentally wrong?

NogDog

I often put the common page stuff (header, footer, navigation) as functions within one include file, then call each function as needed. This then allows me to add function parameters, such as page title, keyword list, and description.

boilerplate.php:

<?php
function pageHead($title, $keywords, $description)
{
   $title = htmlspecialchars($title);
   $keywords = htmlspecialchars($keywords);
   $description = htmlspecialchars($description);
   echo <<<END
<html>
<head>
<title>$title</title>
<meta type="keywords" content="$keywords">
<meta type="description" content="description">
</head>
<body>
END;

}

sample_page.php:

<?php
require_once 'boilerplate.php';
head('Sample Page', 'sample,page', 'This is a sample page');
// . . . rest of page . . .
?>

hughmill

Here's how I do it:

<?php

include 'processor.php';
// This file gets any querystring variables, queries the database, etc etc.

include 'header.php';
// Here we write a dynamic title and other elements (such as loading page specifice js or css etc. Also normally write the RSS feed for the page dynamically here depending on the level of the site we are in. It's a newspaper site so think:
[code=html]
<title>Sitename | News | Local | Hyperlocal | Headline</title>
<link href="http://www.site.com/feeds/news/local/hyperlocal/rss.xml" rel="alternate" type="application/rss+xml" title="RSS Feeds" />
<link rel="stylesheet" type="text/css" href="article.css" media="screen"/>

include 'output.php';
// outputs the page html

include 'footer.php';
// self explanatory

?>[/code]

Obviously there is a lot more going on than this, but I would always go in for pre-processing before you load any output files as you can have dynamic content dropping in at any stage of your final HTML file.

bretticus

$page_id = $_GET['page_id'];  // <----THIS LINE
include("$page_id"); // <----AND THIS LINE

Is a sure way to get hacked if fopen url wrappers are turned on. You may wanna rethink that. For example, you might have one big switch statement in place so you do not allow user-submitted content anywhere near an include function.

Now, here's how I do it (sometimes) at the bare minimum:

<!--header.php-->
<html><head> 
<title>
<?php echo ( defined('PAGE_TITLE') ) ? PAGE_TITLE : 'Some Generic Catch-all title'; ?> 
</title>
</head>
<body><div class="center">

<!--footer.php-->
</div></body>
</html>

...and then to put it all together...

<!--main.php-->
<?php
define('PAGE_TITLE', 'Cross-site scripting sucks');
include('header.php');
?>
<div id="content">
	here is some content.
</div>
<?php
include('footer.php');
?>

Then again, if I were less lazy, I'd like the idea of a function call better like NogDog's example.

Pikachu2000

All good suggestions. I guess I just have to figure out which one to use. At this point, the site is fairly small (about 35 content pages), I guess a switch statement wouldn't be out of the question. I was just trying to avoid the extra typing.

Pikachu2000

bretticus;10887015 wrote:
$page_id = $_GET['page_id'];  // <----THIS LINE
include("$page_id"); // <----AND THIS LINE 
Is a sure way to get hacked if fopen url wrappers are turned on. You may wanna rethink that. For example, you might have one big switch statement in place so you do not allow user-submitted content anywhere near an include function.

Good point. Fortunately it's not live yet, just on my dev server. Oh well, off to switch-world I go . . .

Pikachu2000

bretticus;10887015 wrote:
$page_id = $_GET['page_id'];  // <----THIS LINE
include("$page_id"); // <----AND THIS LINE 
Is a sure way to get hacked if fopen url wrappers are turned on. You may wanna rethink that. For example, you might have one big switch statement in place so you do not allow user-submitted content anywhere near an include function.

Would something like this lessen the risk?

if(file_exists($_GET['page_id']))
{
$page_id = $_GET['page_id'];
}
else
{
$page_id = main.php;
}

NogDog

You want to filter out things from $GET['file'] such as:

../../../../../etc/passwd&#37;00
...or...
http://evil.site.net/file_with_malicious_code.txt

One fairly effective way is to use basename():

$file = basename(trim($_GET['file']));

Then it should be pretty safe to use $file as you do to see if it exists, or else use the default.

Pikachu2000

NogDog;10887051 wrote:
You want to filter out things from $GET['file'] such as:
../../../../../etc/passwd%00
...or...
http://evil.site.net/file_with_malicious_code.txt
One fairly effective way is to use basename():
$file = basename(trim($_GET['file']));
Then it should be pretty safe to use $file as you do to see if it exists, or else use the default.

OK, I see what you're saying. Thanks for the help. I'll implement the changes later this weekend and see how it works out.

Pikachu2000

What would your opinion of this implementation be? It seems to work just fine, but I want to make sure I haven't overlooked/underthought anything . . .

$page = basename(trim($_GET['page_id']));
if(empty($page))
{
	$page_id = "main.php";
}
elseif(!empty($page) && file_exists($page) && strlen($page) > 2 ) // See my note below regarding my usage of strlen() here
{
	$page_id = $page;
}
else
{
	$page_id = "404.php";
}
include('header.php');
include("$page_id");
include('footer.php');

I included the

strlen($page) > 2

when I discovered that a malformed URL such as http://site/index.php?page_id=/../../../../../../intended_page.php/../../../../ had the effect of setting

$page = ".."

This kept the else{} statement from executing since file_exists(..) would return TRUE. Not sure if would have presented a security risk, but it did prevent the script from executing the way I intended.

Now I can get on to the switch statement for the page titles 🙂

Pikachu2000

I think I got it all working with the changes y'all suggested. Made sure allow_url_fopen was set to false in the .ini file while I was at it (it was not enabled, so I must have done it long ago).

Thanks to everyone for the suggestions and help!