how do websites do this index.php?something=somepage

Question

i\'ve seen alot of php based websites where no matter where you navigate your stuck at the index.php and some random parameters are passed in the url. and when i take a look

Answer 1

They do straight includes, with some checking of course, but basicly is something like that:

include("content/".$_GET['something'].".php");

You can also do it using "something" as a database keyword, but most index.php?somthing=somewhere i've seen are includes with some sanity checking.

Answer 2

This type of URL allows you to use a single template file that specifies common markup, with an included fragment that contains specific text. That included fragment could be an actual file on the filesystem, or it could be a CLOB in a database, with the "page" parameter giving the primary key.

As other people have noted, passing an exact path is not at all secure -- don't do it. At best, it can be used to probe your website and retrieve non-public content. At worst, it can turn your website into an unwitting proxy for content that you don't want legally associated with you. Somewhere in between, it might provide a hacker the ability to physically insert new content into your site.

A safer approach is to use the database table, or (for smaller sites), an in-memory page table. Here's the code that I use to access the page table for my personal website:

$pageName = (array_key_exists("page", $_GET))
          ? $_GET["page"]
          : null;
$currentPage = (array_key_exists($pageName, $pagetab))
             ? $pagetab[$pageName]
             : $pagetab["home"];

Answer 3

You are looking at websites built with a front controller.

http://en.wikipedia.org/wiki/Front_controller

Many popular PHP apps like Joomla use it to treat a collection of scripts as a cohesive application.

A front controller is a good idea for languages like PHP, but remember to hide the front controller with something like mod_rewrite to create URL canonization and to optimize readability.

Answer 4

The way this works is that the application is no longer written as a collection of pages, but as a monolithic whole, divided into multiple files. Put another way, index.php is the application, and it takes parameters to control what part it shows to you.

There are various ways of passing the page information in in the URL. Using references to actual filenames should not be the first way you try to do it. Instead, divide your application up into different command and sub-commands. Then the first two things tht index.php does are:

1. Setup the application framework (load common libraries, setup database access, etc etc)
2. Figure out which command is being requested.

The second would be a lookup of some sort, either into an array, or looking for a class or perhaps a file in a particular directory. Whatever, it does, it needs to treat it as untrusted data and produce an error page or a default page with an error banner if the command is invalid. (If it is going to be used in a filename, make sure it is suitably transformed [e.g. .php is added] and checked for any jailbreak action [e.g. doesn't have any embedded slashes]).

Answer 5

I've seen this and personally I think it's an awful design. Particularly because many people don't tend to sanitize the include parameter such that someone can include any file they want by just passing in a relative path.

mod_rewrite is typically used to hide URLs like:

/index.php?path=user&include=account

replacing it with something like:

/user/account

like this:

RewriteEngine On
RewriteBase /
RewriteRule ^(\w+)/(\w+)$ /index.php?path=$1&include=$2 [L]

I usually also put in something like this:

RewriteRule %{THE_REQUEST} \.php$ [R=404,L]

I forget the exact syntax but basically th eidea is the user can't request a php file directly. It has to be done via another RewriteRule (like the first one), which can save you a lot of headaches with sanitizing query string input plus avoid the whole problem of PHP creating globals for things you never intended (although they can still POST for this).

Anyway, back to why I think this is a terrible idea. They do it because they tend to want some common code in every page (like a header and footer). I would argue that you're better off actually just including a common file at the top of each of your pages. It's a simpler, clearer design.

Answer 6

This is very common design pattern, and not just for PHP - I first used it for Cold Fusion with a design model called Fusebox, but similar ideas exist for all scripting languages.

Basically the index page assembles the displayed HTML depending on what is passed in the parameter. For example if no parameters are passed it will know to pull in and display the default page, or if the parameter say something like '?p=contact' then it displays the contact page.

The mod-rewrite idea works the other way around and is often used with a the model-view-controller design pattern (MVC). For example a sites' contact page may have the url:

www.mysite.com/infopages/contact

and mod rewrite will translate this to

www.mysite.com/index.php?p=contact

MVC is a very code-centric way of designing websites and works well with larger and/or more complex applications. It's a bit over the top for smaller sites.