Now with register_globals=off and not wanting to use a custom php.ini, I need to modify a simple line of php for the register_globals=off environment.

I hyperlink to showpage.php?p=agenda.htm and on showpage.php I have
<?php include("$p"); ?> Any tips on modifying this line? Thanks.

Now with register_globals=off and not wanting to use a custom php.ini, I need to modify a simple line of php for the register_globals=off environment.

I hyperlink to showpage.php?p=agenda.htm and on showpage.php I have
<?php include("$p"); ?> Any tips on modifying this line? Thanks.

<?php include("{$_GET['p']}"); ?>

You da man!

And for future reference...if you use a variable many times on a page...you can put this first thing in your code (so it sets the variable):

$p = $_GET['p'];

Personally, I think it is foolish to ever use $var instead of $_GET['var'], but if you have built your code to sanitize all your variables (god help you if you haven't), you could get all of them in one shot like this:

extract($_GET, EXTR_SKIP);
extract($_POST, EXTR_SKIP);

you could get all of them in one shot like this:
extract($_GET, EXTR_SKIP);
extract($_POST, EXTR_SKIP);
IMO this is exactly the dangerous situation of register_globals=On: you pick up just anything that the hacker is throwing at you. You should be selective and only pick the fields/values you are expecting as input ! While EXTR_SKIP will not overwrite a defined variable, it still allows to introduce new variables and preset some content.

if (!isset($var) { /* initialize and first processing */ }
else { /* do further processing */ }could work strange ways if $var gets set from the outside

<?php include("{$_GET['p']}"); ?>


Just a quicknote about security. I am not sure of the PHP.ini settings for PowWeb, but you generally want to make sure you're getting what you want. I use one of two methods for this kind of action:

1) Check to see if the requested file exists loclly, in the directory I specify. Ex:

<?php
$basedir = '/usr/place/path/location'; // NO TRAILING SLASH!

$file = "{$basedir}/{$_GET['p']}";
if ( ($basedir != dirname($file)) || !file_exists($file) )
{
header('Location: /'); // Redirect to the home page on error. You can do whatever you want here
exit;
}

// You could also check the file name to make extra sure you've got what you want.
// We're ok, include that file
include($file);
?>


2) assign a list of known good values, and check against that.

<?php
$allowedIncludes = array();
$allowedIncludes[] = 'one.htm';
$allowedIncludes[] = 'two.htm';

if (in_array($_GET['p'], $allowedIncludes))
{
include($_GET['p']);
}
else
{
header('Location: /'); // Redirect to the home page on error. You can do whatever you want here
exit;
}
?>


This is all pseudo-code, and may not work cut-n-paste... i did, however, lint-check them.