in progress

[NaughtyPerry]

what uthink sofar?

http://ae-hq.com/o2x/index.php?id=home

c&c pls

[atholon]

Nice but nave and logo don't go the best.

[JonM]

i like it.

[GeeFuss]

Awesome...nice work...simple but still cool

[Stu]

Quote:

Originally posted by atholon
Nice but nave and logo don't go the best.

Banner mate, togther now, banner ...
I like it all mate, still missing something, but i'm not sure what

[§£a§h]

Are you leaving OAP scopes or will this clan do a diff version of DF?

[NaughtyPerry]

thinking of leaving... why?

[Dr. Bullet]

Quote:

Originally posted by Tecoma2
Banner mate, togther now, banner ...
I like it all mate, still missing something, but i'm not sure what

Borders...it needs borders...and not just little 1 px around all the images. Go to the NHQ home page, and P has thick grey borders to set everything apart. Just like sigs, borders can make or break a site

[prey]

i like that it's simple. but it looks like 10 000 other sites. a bit unoriginal.

also learn a bit about security.

make sure u validate what pages can and cant be included.

it's good that u put include($pagename.'.php');

w/o the .php any file could be included on your server. or maybe they still can. i just cant figure out how to make it ignore .php =D

you didnt validate for ../
so if u have some important file say

/home/a114588/o2x/file.php

technically people cannot access file.php cause it's outside of public_html file

but with your setup it is possible

http://ae-hq.com/o2x/index.php?id=../file

try creating file.php outside public_html see if it includes it

also i dont know if this is harmful to the server

http://ae-hq.com/o2x/index.php?id=/h...html/o2x/index

but that'll include index file for a long time =D.

do something like

PHP Code:

if (preg_match('/index/i',$id))
{
    include('home.php');
} 


make sure u validate what pages can and cant be included.

goodluck with the site man.

[NaughtyPerry]

:s you lost me at the top of your post...... step by step please

[prey]

k,

how do you include the pages?

like home, members etc.

u check the $_GET['id'] variable right?

well that variable comes from the URL. and anybody can modify it.

if they modify it in right wrong way it's potentially a security risk because they can access and cause things you didnt mean for them to.

so you have to validate that variable, perform different checks so you're sure that no matter what the user enters for index.php?id=<insert stuff here>

it wont cause anything you didnt expect.

right now there's a bunch of things that can happen that you didnt expect.

for example
index.php?id=../yourfile

will include a file that is located in the parent folder of the folder where index.php is located.

where if index.php is in public_html then your file will be in /home/a135s9/8x2

only things in public_html can be accessed by connecting to the webserver.

but with your set up they can access any file that ends with .php anywhere

so that's a potential security risk =D

i am not good in explaining things and i am not an expert. but still try to fix that.
gl

[NaughtyPerry]

erm i just put <?php include("$id.php") ?> whereever i use it...

[Stu]

Thats not the most stable way to do it ... here is, I know it off by heart :

PHP Code:

<?php 
 if(isset($id) { // if the page is set in url
         include("$id" . ".php"); // Include the value of $id
 } else { // If nothing set, include default page
         include("news.php"); }; 
?>

Simple

[atholon]

Ohh I like that way

I don't like passing variable values in the top of the address bar...

[prey]

that still lets you enter ../../ and such


here's one way to do it

PHP Code:

$page_name = '';
$page_ext = '.php';
$valid_pages = Array(
'home',
'members',
'contact'
);

$default_page = 0;

if (isset($_GET['id']) && trim($_GET['id']) != '' && in_array($_GET['id'],$valid_pages))
{
    $page_name = addslashes(htmlentities(trim($_GET['id'])));

    include($page_name.$page_ext);
}else{
    include($valid_pages["$default_page"].$page_ext);
}