dynamic web pages

on the hbh i can see in profiles, that they have *.html instead of *.php so, when i do some challenge or change, in any way, my profile, it will immediately affect my profile page. but standard html format cant do that. so i think that there must be some php script that doing this. google bot likes html format, so it's better to have "php in html" so can anyone recommend me any good tutorial to this? thanks

I think it's the apache url rewrite mod doing that.

I wasn't aware that google had any preference over html pages versus php pages :wow:

but I guess you can add this line into your apache config file (or maybe do it with .htaccess) in the httpd.conf file:

markup AddType application/x-httpd-php .html

EDIT: NVM, follow mastergamer's suggestion, it's easier :P

You mean having PHP code in a HTML file? (HBH uses apache mod_rewrite)

You can just put:

markupAddType application/x-httpd-php .html

into a .htaccess file in the root dir of your website.

nono theres a rewrite rule that makes "profile" a page and takes the argument "/username.html" then selects info from the database using that. makes it look like a html when its actually the same as profile.php?username=yourusername

ok and what about conditions? e.g. index.php?page=*

here:

$page = $_GET['page'];
if (isset($page))
{}
else
{
$page = 'home';
};
?>```

```markup<div align="center">
<table width="700" height="800" border="0">
  <tr>
    <td height="62" valign="top"><span class="style1"><?php @ require_once ("pages/$page.html"); ?></span></td>
  </tr>
</table>
</div>```

put your pages into the /pages directory.

I'm sure you'll be know how to modify it for your own needs.

and before you say anything, NO it is NOT vulnerable to rfi!

Also, if you are just going to have a few pages on your site, and not be regularly adding extra things, you could use a switch statement.

well it is vulnerable to Local File Inclusion(LFI) and Poison Null Byte(PNB) for example if you put in the url something like:

http://site.com/index.php?page=/../../../../etc/passwd%00

your code will execute:

<table width="700" height="800" border="0">
<tr>
<td height="62" valign="top"><span class="style1"><?php @ require_once ("pages//../../../../etc/passwd%00.html"); ?></span></td>
</tr>
</table>
</div>```

And if you ask what PNB do, then it make null the effect of that .html

DrOptix wrote: well it is vulnerable to Local File Inclusion(LFI) and Poison Null Byte(PNB) for example if you put in the url something like:

http://site.com/index.php?page=/../../../../etc/passwd%00

your code will execute:

<table width="700" height="800" border="0">
<tr>
<td height="62" valign="top"><span class="style1"><?php @ require_once ("pages//../../../../etc/passwd%00.html"); ?></span></td>
</tr>
</table>
</div>```

And if you ask what PNB do, then it make null the effect of that .html

ah thanks optix, I didn't really think that code through properly :P
I guess it would be very easy though to just strip quotes from the page variable though

well if you want to fix it you can by using stripslashes() function because:

if you put in the url

blah/index.php?page=/../../etc/passwd%00

php will run something like:

markupinclude('http://site.com/pages//../../etc/passwd\0');

so by using: include('http://site.com/pages/'.stripslashes($page).'.html');

you will eliminate the \ from \0

so after this filtering php will run:

markupinclude('http://site.com/pages//../../etc/passwd0.html');

so eventually the bad guy will get a 404 error :)

Edit: also you can use str_replace() to eliminate all dots (.). don't make the mistake to eliminate groups of chars of ../ because can be bypassed ;)

a hack that works in older versions of php is that you could just do something like ?page=../admin/index.php?a=

but doesnt work in late php 4/php 5 :(