Include Content pages in Master page

McKirahan schreef:

I am looking for feedback on an approach to using PHP.

Below is a stripped down version of a Home page: "index.php".

The content of the site is displayed in the middle of the page and
is "included" via "Page1.htm", "Page2.htm", or "Page3.htm".

The page to be "included" is specified via the QueryString
which is specified in the navigational hyper links;
for example, "index.php?Page1".
<html>
<head>
<title><?php echo $_SERVER["PHP_SELF"] ?></title>
</head>
<body>
<table border="0" cellspacing="0" cellpadding="0" width="100%"
height="100%">
<tr>
<td bgcolor="green" colspan="3">&nbsp;</td>
</tr>
<tr>
<td bgcolor="red" width="5"%>&nbsp;</td>
<td bgcolor="white" width="90%">
<p align="center">
<a href="index.php?Page1">Page 1</a|
<a href="index.php?Page2">Page 1</a|
<a href="index.php?Page3">Page 3</a>
<hr>
</p>
<!-- Content Below -->
<?php
$QS = $_SERVER["QUERY_STRING"];
echo $QS;
if ($QS == "Page1") include "Page1.htm";
elseif ($QS == "Page2") include "Page2.htm";
elseif ($QS == "Page3") include "Page3.htm";
else include "Page1.htm";
?>
<!-- Content Above -->
<br><br>
</td>
<td bgcolor="blue" width="5%">&nbsp;</td>
</tr>
<tr>
<td bgcolor="yellow" colspan="3">&nbsp;</td>
</tr>
</table>
</body>
</html>

One advantage I see to this approach is that the "content" pages
are isolated from the "master" page and can be easily maintained.

One disadvantage I see to this approach is that search engines
would not be able to catalog the site beyond the Home page.

Why wouldn't a search engine be able to catalog ?

Google can follow dynamic urls

For a nicer url use mod rewrite
/mymap/my-title.html /index.php?QS=3 [NC]

or something more dynamic
/page_(.+).php /index.php?QS=$1 [NC]

Are there other disadvantages (or other considerations) that I don't see?

Yup .. duplicate content (index.php?QS=wooooooom)

--
Arjen
http://www.hondenpage.com - Mijn site over honden

On Fri, 12 Jan 2007 06:36:51 +0100, McKirahan <Ne**@McKirahan.comwrote:

I am looking for feedback on an approach to using PHP.

Below is a stripped down version of a Home page: "index.php".

The content of the site is displayed in the middle of the page and
is "included" via "Page1.htm", "Page2.htm", or "Page3.htm".

The page to be "included" is specified via the QueryString
which is specified in the navigational hyper links;
for example, "index.php?Page1".
<html>
<head>
<title><?php echo $_SERVER["PHP_SELF"] ?></title>
</head>
<body>
<table border="0" cellspacing="0" cellpadding="0" width="100%"
height="100%">
<tr>
<td bgcolor="green" colspan="3">&nbsp;</td>
</tr>
<tr>
<td bgcolor="red" width="5"%>&nbsp;</td>
<td bgcolor="white" width="90%">
<p align="center">
<a href="index.php?Page1">Page 1</a|
<a href="index.php?Page2">Page 1</a|
<a href="index.php?Page3">Page 3</a>
<hr>
</p>
<!-- Content Below -->
<?php
$QS = $_SERVER["QUERY_STRING"];
echo $QS;
if ($QS == "Page1") include "Page1.htm";
elseif ($QS == "Page2") include "Page2.htm";
elseif ($QS == "Page3") include "Page3.htm";
else include "Page1.htm";
?>
<!-- Content Above -->
<br><br>
</td>
<td bgcolor="blue" width="5%">&nbsp;</td>
</tr>
<tr>
<td bgcolor="yellow" colspan="3">&nbsp;</td>
</tr>
</table>
</body>
</html>

One advantage I see to this approach is that the "content" pages
are isolated from the "master" page and can be easily maintained.

One disadvantage I see to this approach is that search engines
would not be able to catalog the site beyond the Home page.

Are there other disadvantages (or other considerations) that I don't see?

Thanks in advance.

P.S. I am new to PHP but have worked with ASP for years.

1) Good search engines *cough*Google*cough* will take the querystring into
consideration while indexing.
2) For sake of ease, scalability, and security you may want to build a
querystring like ?id=1, instead of ?page1. Then you can read the page id
with $_GET['id'].
3) Using this method of including, you should perform a check on file
existence.

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

2) For sake of ease, scalability, and security you may want to build a

querystring like ?id=1, instead of ?page1. Then you can read the page id
with $_GET['id'].
3) Using this method of including, you should perform a check on file
existence.

Well in this case a page is not included directly according to the qs,
but the qs rather defines what page is included. If I understand
correctly, there could be:

if( $qs == "Contact" || $qs == "ContactInfo" ) {
include('NoneOfYourBusiness.htm');
}

So the value of qs might have nothing to do with the included file's
name. At least that is what I understood.

"OmegaJunior" <om*********@spamremove.home.nlwrote in message
news:op***************@cp139795-a.landg1.lb.home.nl...

On Fri, 12 Jan 2007 06:36:51 +0100, McKirahan <Ne**@McKirahan.comwrote:

I am looking for feedback on an approach to using PHP.

Below is a stripped down version of a Home page: "index.php".

The content of the site is displayed in the middle of the page and
is "included" via "Page1.htm", "Page2.htm", or "Page3.htm".

The page to be "included" is specified via the QueryString
which is specified in the navigational hyper links;
for example, "index.php?Page1".

[snip]

One advantage I see to this approach is that the "content" pages
are isolated from the "master" page and can be easily maintained.

One disadvantage I see to this approach is that search engines
would not be able to catalog the site beyond the Home page.

Are there other disadvantages (or other considerations) that I don't

see?

Thanks in advance.

P.S. I am new to PHP but have worked with ASP for years.

1) Good search engines *cough*Google*cough* will take the querystring
into consideration while indexing.
2) For sake of ease, scalability, and security you may want to build a

querystring like ?id=1, instead of ?page1. Then you can read the page id

with $_GET['id'].
3) Using this method of including, you should perform a check on file
existence.

Thanks for you reply.

I appreciate your ideas and may use them.

Why is "id=" easier and/or more scalable and/or more secure?

"Arjen" <do**@mail.mewrote in message news:eo**********@brutus.eur.nl...

McKirahan schreef:

I am looking for feedback on an approach to using PHP.

Below is a stripped down version of a Home page: "index.php".

The content of the site is displayed in the middle of the page and
is "included" via "Page1.htm", "Page2.htm", or "Page3.htm".

The page to be "included" is specified via the QueryString
which is specified in the navigational hyper links;
for example, "index.php?Page1".

[snip]

One advantage I see to this approach is that the "content" pages
are isolated from the "master" page and can be easily maintained.

One disadvantage I see to this approach is that search engines
would not be able to catalog the site beyond the Home page.

Why wouldn't a search engine be able to catalog ?

Google can follow dynamic urls

For a nicer url use mod rewrite
/mymap/my-title.html /index.php?QS=3 [NC]

or something more dynamic
/page_(.+).php /index.php?QS=$1 [NC]

Are there other disadvantages (or other considerations) that I don't

see?

>
Yup .. duplicate content (index.php?QS=wooooooom)

Thanks for you reply.

I presumed wrong about the ability of search engines to index the site;
thanks for correcting me.

Not sure what you mean by "duplicate content"?

Also, I'll have to study PHP some more to understand your dynamic url...

I presumed wrong about the ability of search engines to index the site;

thanks for correcting me.

Not sure what you mean by "duplicate content"?

In your example every non existent QS would be the same as your default
page. So you have multiple occurences of your default page. You would
have to set a 301 header for those pages. Some search engines give you a
penalty for duplicate content.

>
Also, I'll have to study PHP some more to understand your dynamic url...

What exactly dont you understand ? I'd be happy to explain :-)

--
Arjen
http://www.hondenpage.com

On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <Ne**@McKirahan.comwrote:

>
Why is "id=" easier and/or more scalable and/or more secure?

It's more scalable as a querystring parameter like '?id=1' than a full
querystring like '?page1' because it lets you add more parameters to the
querystring than just the querystring itself.

Instead of reading the entire querystring '?page1' using
$_SERVER['QUERY_STRING'] and using the result 'page1' as a single
parameter, you can string several parameters together inside a querystring
using a & as separator like so: '?id=1&sort=a&lang=en' and read each
parameter with $_GET[parametername] like $_GET['id'] (results in '1'),
$_GET['sort'] (results in 'a'), and $_GET['lang'] (results in 'en').

Which parameters you put into the querystring and what your code does with
them, is your choice entirely, hence the scalability.

Look at Google's advanced search, for instance:
http://www.google.com/search?as_q=te...ghts=&safe=off

Everything behind the first ? is the querystring, which contains no less
than 19 parameters (some of which do have values, some of which don't).

Security comes in because of the way you intend to use the parameter
value. If you would simply code
include($_SERVER['QUERY_STRING']);
you open up your code for all kinds of injection. Rule of thumb: don't
trust a visitor's input. What prevents a malevolent visitor from
requesting '?config.ini' or '?.htaccess' ? Nothing, because they can enter
it using their browser's address bar. But we can check for their input and
allow only those values we trust, like so:

$idPageToInclude = $_GET['id']; /* parameter named 'id' by choice,
could've just as easily be named 'page' */
if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers,
for instance
$pathPageToInclude = 'page'.$idPageToInclude.'html'; //Create the
complete file name
if (file_exists($pathPageToInclude)) { //Make sure it exists
include($pathPageToInclude);
} else {
print('File not found.');
}
}

Why do I want to accept numbers as input only? Because that way I can
prevent that a malevolent user tries to pass something like
'/../../passwords.xml/' into the querystring.

Hope this helps!

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Message-ID: <op***************@cp139795-a.landg1.lb.home.nlfrom
OmegaJunior contained the following:

>On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <Ne**@McKirahan.comwrote:

>>
Why is "id=" easier and/or more scalable and/or more secure?

It's more scalable as a querystring parameter like '?id=1' than a full
querystring like '?page1' because it lets you add more parameters to the
querystring than just the querystring itself.

Up to a point. You could, of course do ?ham-eggs-cheese and explode the
query string to get three different variables

>

....

>Security comes in because of the way you intend to use the parameter
value. If you would simply code
include($_SERVER['QUERY_STRING']);
you open up your code for all kinds of injection. Rule of thumb: don't
trust a visitor's input. What prevents a malevolent visitor from
requesting '?config.ini' or '?.htaccess' ? Nothing, because they can enter
it using their browser's address bar. But we can check for their input and
allow only those values we trust, like so:

$idPageToInclude = $_GET['id']; /* parameter named 'id' by choice,
could've just as easily be named 'page' */
if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers,
for instance
$pathPageToInclude = 'page'.$idPageToInclude.'html'; //Create the
complete file name
if (file_exists($pathPageToInclude)) { //Make sure it exists
include($pathPageToInclude);
} else {
print('File not found.');
}
}

I think it's a bit simpler to use an array (ie you can use your existing
filenames)

$page=array(1=>'page1.php',2=>'page2.php',3=>'anyp age.php');

if(isset($_GET['id'])){
$PageToInclude=(isset($page[$_GET['id']]))?$page[$_GET['id']]:"errorpage.php";
//errorpage.php included if someone messes with the url.
include($PageToInclude);
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

"Arjen" <do**@mail.mewrote in message
news:45***********************@news.wanadoo.nl...

I presumed wrong about the ability of search engines to index the site;
thanks for correcting me.

Not sure what you mean by "duplicate content"?

In your example every non existent QS would be the same as your default
page. So you have multiple occurences of your default page. You would
have to set a 301 header for those pages. Some search engines give you a
penalty for duplicate content.

>
Also, I'll have to study PHP some more to understand your dynamic

url...

>
What exactly dont you understand ? I'd be happy to explain :-)

I don't understand this suggestion:

or something more dynamic
/page_(.+).php /index.php?QS=$1 [NC]

What does (.+) do?
Why two ".php" filenames?
Where does $1 come from?
What does [NC} mean?

Sorry, I'm new to PHP.

Any website or reading suggestions?
I do use http://www.php.net

Thanks.

"OmegaJunior" <om*********@spamremove.home.nlwrote in message
news:op***************@cp139795-a.landg1.lb.home.nl...

On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <Ne**@McKirahan.comwrote:

Why is "id=" easier and/or more scalable and/or more secure?

It's more scalable as a querystring parameter like '?id=1' than a full
querystring like '?page1' because it lets you add more parameters to the
querystring than just the querystring itself.

I understand; however, I only intend to pass a page reference.

[snip]

Security comes in because of the way you intend to use the parameter
value. If you would simply code
include($_SERVER['QUERY_STRING']);
you open up your code for all kinds of injection. Rule of thumb: don't
trust a visitor's input. What prevents a malevolent visitor from
requesting '?config.ini' or '?.htaccess' ? Nothing, because they can

enter

it using their browser's address bar.

However, I construct the page name from the QueryString;
I don't load whatever is passed in.

[snip]

But we can check for their input and
allow only those values we trust, like so:

if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers,

I like the numeric only input and will use it.

if (file_exists($pathPageToInclude))

I'll use this too.

Why do I want to accept numbers as input only? Because that way I can
prevent that a malevolent user tries to pass something like
'/../../passwords.xml/' into the querystring.

Hope this helps!

It does! Thanks for the education.

McKirahan schreef:

"Arjen" <do**@mail.mewrote in message
news:45***********************@news.wanadoo.nl...

>>I presumed wrong about the ability of search engines to index the site;
thanks for correcting me.

Not sure what you mean by "duplicate content"?

In your example every non existent QS would be the same as your default
page. So you have multiple occurences of your default page. You would
have to set a 301 header for those pages. Some search engines give you a
penalty for duplicate content.

> >
Also, I'll have to study PHP some more to understand your dynamic

url...

>What exactly dont you understand ? I'd be happy to explain :-)

I don't understand this suggestion:

>or something more dynamic
/page_(.+).php /index.php?QS=$1 [NC]

This is not PHP ... I should have been clearer. This is syntax for
apache's mod rewrite.
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

It means rewrite pages like this:
/page_1.php ->index.php?qs=1
/page_2.php ->index.php?qs=2
/page_look-im-a-bird.php ->index.php?qs=look-im-a-bird
etc

This is a more friendly way of showing dynamic pages

--
Arjen
http://www.hondenpage.com