CODEWITHSUNDEEP
php
rackemup420
rackemup420

Reputation: 1567

PHP If / Elseif Statement Not Working Correctly

I have a simple if statement that works on my local machine but when i uploaded it tom ypaid site i got an error on my home page.

Error:

Warning: include(./pages/.php) [function.include]: failed to open stream: No such file or directory in /home/a5410474/public_html/index.php on line 33
Warning: include() [function.include]: Failed opening './pages/.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/a5410474/public_html/index.php on line 33

The Code:

<?php
    if (isset($_GET['p']) && $_GET['p'] != NULL || $_GET['p'] != '') {
        $p = mysql_real_escape_string($_GET['p']);
    }elseif ($_GET['p'] == '' || $_GET['p'] == NULL){
        $p = 'home';
    }
include("./pages/".$p.".php");
?>

Upvotes: 0

Views: 341

Answers (4)

Lawrence Cherone
Lawrence Cherone

Reputation: 46602

You should be more aware of directory traversing, sanitize user input, and make sure the file is even there. (re: your errors):

<?php
if (isset($_GET['p'])) {
    $p = preg_replace('/[^a-zA-Z0-9_]/s', '', $_GET['p']);
} else {
    $p = 'home';
}
$path = "./pages/" . $p . ".php";

if (file_exists($path) === true) {
    include $path;
} else {
    include './pages/notfound.php';
}

Upvotes: 1

jerjer
jerjer

Reputation: 8760

You can also try this:

<?php
    $p = 'home';
    if (!empty($_GET['p']))
        $p = $_GET['p'];       
    include("./pages/".$p.".php")
?>

Upvotes: -1

Dan Grossman
Dan Grossman

Reputation: 52372

A much less verbose way of writing this:

$p = empty($_GET['p']) ? 'home' : $_GET['p'];
include("./pages/{$p}.php");

Some other notes:

  1. You should not be using mysql_real_escape_string on a variable you're going to pass to include. That function is for preparing data for insertion into a SQL query.

  2. You should not include a file based on a variable passed through the query string, or from any kind of user input. Someone can use that to read system files on your server then take control of the whole computer.

Upvotes: 3

Michael Berkowski
Michael Berkowski

Reputation: 270609

Instead of OR, you need AND here, also enclose the second half in parens.

if (isset($_GET['p']) && $_GET['p'] != NULL || $_GET['p'] != '') {

// should be
if (isset($_GET['p']) && ($_GET['p'] != NULL && $_GET['p'] != '')) {

You have no else case, and it's likely the value being passed into `$_GET['p'] meets neither condition.

It would be better to write it like this, using empty()

if (isset($_GET['p']) && !empty($_GET['p']) {
  $p = mysql_real_escape_string($_GET['p']);
}
else $p = 'home';

Upvotes: 4

Related Questions