I've seen a couple requests for adding additional website type content to a store front and no modules exist for doing this... so... here is a simple solution:
You'll need to edit
<INSTALL DIR>/catalog/view/theme/default/template/common/header.tpl
first, replace:
<?php echo $heading_title; ?>
with:
<?php if(!isset($_GET['content'])) { echo $heading_title; } ?>
then, replace:
<?php echo $welcome; ?>
with:
<?php
if(isset($_GET['content'])) {
$content = $_GET['content'] . ".php";
include ($content);
} else {
echo $welcome;
}
?>
Now... create some new content:
create a .php file in the same direct as the file you just edited. Add whatever HTML you would like (remember, this is going to display in the content area of the welcome page, so no need for html, head or body tags). Save and close the file. e.x. my_new_content.php
Next, to display the content, using the following query stirng to access the override html:
http://<YOUR URL>/index.php?content=my_new_content
or
http://<YOUR URL>/?content=my_new_content
This will override the standard content of the homepage with whatever content yo would like to add. You can create as many new content pages as you would like, just change the query string appropriately.
Hope someone finds this useful,
Chris
I have to say this is HIGHLY insecure, since you're basically giving someone free reign of your file system. You need to sanitize the name of the file before including, to prevent people from accessing files they shouldn't
Agreed with Jay, This is the number one thing NOT to do for security reasons. That is a big XSS hole you are opening:
More on the topic:
http://www.testingsecurity.com/how-to-t ... -Injection
Normally in the case where you support GET parameters you would at least try to sanitize it. Force certain data to be a number, etc. But you are actually allowing fullblown content to be passed in here.
More on the topic:
http://www.testingsecurity.com/how-to-t ... -Injection
Normally in the case where you support GET parameters you would at least try to sanitize it. Force certain data to be a number, etc. But you are actually allowing fullblown content to be passed in here.
Please do feel free to expand on this, as it was nothing more than a starting point for how to display alternate content. If the URL was sanitized... an array index or such, are their potentially other issues? It would be helpful to know...
Thanks!
Thanks!
http://www.php.net/basename
That would be a start really. I wasn't saying you were classing this as the ultimate solution, I realise you were just putting a bit of code to help others, but when you give stuff like this I feel it needs the warning at least so people know (and clearly you didn't either) and can at least use it with caution
You can also use something like a simple regular expression
$content = preg_replace('/\W/','', $_GET['content']);
a file_exists would also make sense to see if the file exists first before trying to include it, to save on errors coming up when one is incorrect
That would be a start really. I wasn't saying you were classing this as the ultimate solution, I realise you were just putting a bit of code to help others, but when you give stuff like this I feel it needs the warning at least so people know (and clearly you didn't either) and can at least use it with caution
You can also use something like a simple regular expression
$content = preg_replace('/\W/','', $_GET['content']);
a file_exists would also make sense to see if the file exists first before trying to include it, to save on errors coming up when one is incorrect
Who is online
Users browsing this forum: No registered users and 5 guests
