address arguments

Anon

hi. could someone please explain me what to do, for example, i use the link page.php?goto=downloads , and the script would "redirect" the user to downloads.htm. this would be for like having a table divided in two, in the left a menu( i got that part working already) and in the right the downloads page. the script could be someting like:

$fp = fopen ("###argument_in_address###.htm", "r");
$buffer = fread($fp, filesize("###argument_in_address###.php"));
fclose ($fp);
print $buffer;

I just don't know how i can get the page.php?goto=###argument###.
Can someone please help me?

thanks in advance

Anon

Any reason not to simply include the file? It is much quicker than file() or fopen() and has the added advantage that the included file can contain more than simple HTML.

i.e.
include ($_GET['goto']);

Be aware that without some checks you open up some severe security holes using this method. You will need to check the value of $goto to ensure it is "sane", typically by stripping or checking for any path information in $_GET['goto'] so no one tries something like:

page.php?goto=/etc/shadow

or if you include a string path in the include, such as include("dir/of/pages/".$_GET['goto']) someone could do this:

page.php?goto=../../../etc/shadow

A quick way to test is by using something like this:

if (ereg("..",$GET['goto']))
{
// goto contains .. error out or redirect
die("Page does not exist");
}
elseif(!file_exists("path/to/file/".$GET['goto'])
{
// file of that name does not exist.
// do something else, redirect
}
else
{
// file exists and there aren't any surprises in the path.
include("path/to/file/".$_GET['goto']);
}

If you're using a version of PHP that does not have $GET (pre 4.1) then use $HTTP_GET_VARS in place of $GET.

More checks are always better and I'm sure someone else lurking out there has some suggestions on making this better.