我正在使用this tutorial创建一个ajax网站,并且正在努力使用PHP。这是提供的代码:
PHP
if(!$_POST['page']) die("0");
$page = (int)$_POST['page'];
if(file_exists('pages/page_'.$page.'.html'))
echo file_get_contents('pages/page_'.$page.'.html');
else echo 'There is no such page!';
我想使用除page_1.html,page_2.html等之外的命名结构。我的HTML看起来像这样:
HTML
<ul id="navigation">
<li><a href="#home">Home</a></li>
<li><a href="#about">About</a></li>
<li><a href="#services">Services</a></li>
<li><a href="#page4">Page 4</a></li>
</ul>
现在唯一可行的链接是“第4页”。我将如何重写PHP以使前三个链接起作用?
的Javascript
var default_content="";
$(document).ready(function(){
checkURL();
$('ul li a').click(function (e){
checkURL(this.hash);
});
//filling in the default content
default_content = $('#pageContent').html();
setInterval("checkURL()",250);
});
var lasturl="";
function checkURL(hash)
{
if(!hash) hash=window.location.hash;
if(hash != lasturl)
{
lasturl=hash;
// FIX - if we've used the history buttons to return to the homepage,
// fill the pageContent with the default_content
if(hash=="")
$('#pageContent').html(default_content);
else
loadPage(hash);
}
}
function loadPage(url)
{
url=url.replace('#page','');
$('#loading').css('visibility','visible');
$.ajax({
type: "POST",
url: "load_page.php",
data: 'page='+url,
dataType: "html",
success: function(msg){
if(parseInt(msg)!=0)
{
$('#pageContent').html(msg);
$('#loading').css('visibility','hidden');
}
}
});
}
答案 0 :(得分:1)
只有page4有效,因为它希望脚本的名称类似于page_number.html。您的home, about, services与该模式不匹配。要使它们也能正常工作,您需要将file_get_contents()调用更改为允许page/anything.html。
要修改的第一件事是发布的功能:
function loadPage(url)
{
// Instead of stripping off #page, only
// strip off the # to use the rest of the URL
url=url.replace('#','');
$('#loading').css('visibility','visible');
$.ajax({
type: "POST",
url: "load_page.php",
data: 'page='+url,
dataType: "html",
success: function(msg){
if(parseInt(msg)!=0)
{
$('#pageContent').html(msg);
$('#loading').css('visibility','hidden');
}
}
});
}
现在,这在PHP中引入了安全风险。您需要验证$_POST['page']的值是否严格是字母数字,以便没有人可以注入像../../../../somefile这样的文件名来读取您的文件系统。使用下面的表达式,您可以使用任何字母和数字字符命名文件,但会拒绝点和空字节,这是file path-injection / directory traversal attack中的主要危险。
if(empty($_POST['page'])) die("0");
// Remove the typecast so you can use the whole string
//$page = (int)$_POST['page'];
// Just use the post val. This is safe because we'll validate it with preg_match() before use...
$page = $_POST['page'];
// And validate it as alphanumeric before reading the filesystem
if (preg_match('/^[a-z0-9]+$/i', $_POST['page']) && file_exists('pages/'.$page.'.html')) {
// Remove the page_ to use the whole thing
echo file_get_contents('pages/'.$page.'.html');
}
else echo 'There is no such page!';
答案 1 :(得分:1)
你需要改变不仅仅是为了让它发挥作用。
更改JS,以便除了井号外,它不会从URL中删除任何内容:
url=url.replace('#page','');
需要:
url=url.replace('#','');
更改PHP以处理字符串:
if(!$_POST['page']) die("0");
// Only allow alphanumeric characters and an underscore in page names
$page = preg_replace( "/[^\w]/", '', $_POST['page']);
if(file_exists('pages/'.$page.'.html'))
echo file_get_contents('pages/'.$page.'.html');
else echo 'There is no such page!';
现在在pages/目录中创建页面。
<li><a href="#home">Home</a></li>将为home.html <li><a href="#about">About</a></li>将为about.html <li><a href="#services">Services</a></li>将为services.html <li><a href="#page4">Page 4</a></li>将为page4.html 答案 2 :(得分:0)
将PHP更改为:
$page = $_POST['page'];
if(file_exists('pages/'.$page.'.html'))
echo file_get_contents('pages/'.$page.'.html');
现在您正在使用整个哈希标记,因此#about将导致: 页/ about.html
在javascript函数loadPage中更改此内容
url=url.replace('#page','');
变为
url=url.replace('#','');