Link to your own pages to show your content in the content area of Squirrelcart

[Jamie]

OK...this is a better and slightly more complicated way to handle adding links that will show your own content inside Squirrelcart's content area. This post is basically a new way to do what we described here:
http://www.ldev.com/forums/showthread.php?t=224

This is a 2 part thread. Part one shows you the basics of getting this method to work. Part 2 gives you a way to make an improvement on it. There are important security concerns with this, so make sure you read this in it's entirety and don't leave anything out!

For Version 2.x ONLY
Update - 04/28/2009 - The code below will only work in version 2.x of Squirrelcart. For similar code for v3, see the next post in this thread.

Part 1

You need a way to tell Squirrelcart what file to grab content from. You can do this via a GET query in the URL as follows:

http://www.example.com/store.php?page=test

With that query, you are sending a variable named 'page', which can be accessed via PHP like this example:

PHP Code:

<?php print $_GET['page']; ?>

PHP can include any file and will show it's contents as in this example:

PHP Code:

<?php include 'test.php'; ?>

Now, you may be thinking that you could send a query like "store.php?page=test.php" and then just do this and be done with it:

PHP Code:

<?php include $_GET['page']; ?>

DO NOT DO THAT!! REPEAT, DO NOT DO THAT!! (oh, and definitely don't do that!)
It is a HUGE security risk. With that method, they can include any page on your server and use it for hacking purposes. If you have http wrappers enabled in PHP, someone could even include a file on a remote site, and leave you open to some major hacking.

The best way to handle this is to find this code in your storefront page (store.php by default):

PHP Code:

// Cart Content section
include "$cart_isp_root/cart_content.php" ; 


After that section, add this code:

PHP Code:

// make sure $page is a word only
 if (preg_match('/^[\w-]+$/',$_GET['page'])) {
     // include page only if it exists
     if (file_exists("$_GET[page].php")) include "$_GET[page].php";
 } 


The first if statement makes sure that the value of page is a word. It keeps hackers from sending anything non alphanumeric, which would allow them to pass URLs, dots (../../) to traverse up your directory structure, etc...

The second if statement will include the page ONLY if it exists inside your web root.

After adding that code, put a file named "test.php" in your web root folder and put some test HTML in it:

Code:

<b>Hello World!</b>

Now, enter the following URL using your own domain name:
http://www.example.com/store.php?page=test

If you did this right, you should see the contents of test.php inside the content area of your storefront page.

Now, for those of you that want more, read on...

Part 2

This part requires that you've already followed the instructions in Part 1 above. If you haven't, then do that first before proceeding.

Now, you should have the ability to create links to your own pages, and can still keep them in the design you have setup for your storefront. This method improves on the above by:

1. Allowing you to dynamically change the page title, and the "keywords" and "description" meta tags

2. Allowing you to use the actual page name in the link, instead of the query string URL. In other words, you can do this:
http://www.example.com/test.php

Instead of:
http://www.example.com/store.php?page=store

This gives you an advantage with search engines indexing these pages.

Open the test.php file you made in Part 1, and add this to the very top:

PHP Code:

<?php
if (!$_GET['page']) {
    $_GET['page']    = "test";
    $Title            = "My test page";
    $Keywords        = "my dog has fleas";
    $Description    = 'this is a test of the emergency broadcast system';
    include "store.php";
    return;
}
?>

Now, save the page and load it in a browser:
http://www.example.com/test.php

You should see the same thing you saw when you went to http://www.example.com/store.php?page=test

Now, you have a nicer URL. Look up at the window's title bar and you should also see you have a page title. If you view source on the page, you'll see something like this:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
    <meta name="title" content="My test page">
    <meta name="keywords" content="my dog has fleas">
    <meta name="description" content="this is a test of the emergency broadcast system">
    <title>My test page</title>
    <!-- etc... -->

You can put any HTML (or PHP) you like in your pages, as long as you have that PHP code section at the top.

[Jamie]

For Version 3.x
As of version 3, Squirrelcart has built in support for creating your own pages via link and content records in your control panel. This is explained here. That is the recommended approach to create pages that appear within Squirrelcart's storefront.

If you would prefer to create pages manually that use your own PHP files in a similar fashion to the version 2.x code explained above, you can still do that. Here's how.

Part 1

In order to make the changes described below, you need to know how to properly modify templates in Squirrelcart via a custom theme. If you aren't familiar with how to do that, it is very important to read this topic first.

You need a way to tell Squirrelcart what file to grab content from. You can do this via a GET query in the URL as follows:

http://www.example.com/store.php?page=test

With that query, you are sending a variable named 'page', which can be accessed via PHP like this example:

PHP Code:

<?php print $_GET['page']; ?>

PHP can include any file and will show it's contents as in this example:

PHP Code:

<?php include 'test.php'; ?>

Now, you may be thinking that you could send a query like "store.php?page=test.php" and then just do this and be done with it:

PHP Code:

<?php include $_GET['page']; ?>

DO NOT DO THAT!! REPEAT, DO NOT DO THAT!! (oh, and definitely don't do that!)
It is a HUGE security risk. With that method, they can include any page on your server and use it for hacking purposes. If you have http wrappers enabled in PHP, someone could even include a file on a remote site, and leave you open to some major hacking.

The best way to handle this is to find this code in your store_main.tpl.php template file:

PHP Code:

<?php print $Cart_Content; ?>

Directly before that line, add this code:

PHP Code:

<?php
// make sure $page is a word only
if (preg_match('/^[\w-]+$/',$_GET['page']) && file_exists("$_GET[page].php")) {
    ob_start();                
    print "<div class=\"sc_content sc_main_content\">";
    include "$_GET[page].php";
    print "</div>";
    $Cart_Content = ob_get_clean();
} 
?>

The first part of the if statement makes sure that the value of page is a word. It keeps hackers from sending anything non alphanumeric, which would allow them to pass URLs, dots (../../) to traverse up your directory structure, etc...

The second part of the if statement will include the page ONLY if it exists inside your web root.

After adding that code, put a file named "test.php" in your web root folder and put some test HTML in it:

Code:

<b>Hello World!</b>

Now, enter the following URL using your own domain name:
http://www.example.com/store.php?page=test

If you did this right, you should see the contents of test.php inside the content area of your storefront page.

Now, for those of you that want more, read on...

Part 2

This part requires that you've already followed the instructions in Part 1 above. If you haven't, then do that first before proceeding.

Now, you should have the ability to create links to your own pages, and can still keep them in the design you have setup for your storefront. This method improves on the above by:

1. Allowing you to dynamically change the page title, and the "keywords" and "description" meta tags

2. Allowing you to use the actual page name in the link, instead of the query string URL. In other words, you can do this:
http://www.example.com/test.php

Instead of:
http://www.example.com/store.php?page=store

This gives you an advantage with search engines indexing these pages.

Open the test.php file you made in Part 1, and add this to the very top:

PHP Code:

<?php
if (!$_GET['page']) {
    $_GET['page']    = "test";
    $Title            = "My test page";
    $Keywords        = "my dog has fleas";
    $Description    = 'this is a test of the emergency broadcast system';
    include "store.php";
    return;
}
?>

If you renamed your storefront page to something other than store.php, change the string store.php in the code above to match the name of your storefront page.

Now, save the page and load it in a browser:
http://www.example.com/test.php

You should see the same thing you saw when you went to http://www.example.com/store.php?page=test

Now, you have a nicer URL. Look up at the window's title bar and you should also see you have a page title. If you view source on the page, you'll see something like this:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
    <meta name="title" content="My test page">
    <meta name="keywords" content="my dog has fleas">
    <meta name="description" content="this is a test of the emergency broadcast system">
    <title>My test page</title>
    <!-- etc... -->

You can put any HTML (or PHP) you like in your pages, as long as you have that PHP code section at the top.

[LouDog]

This is good stuff Jamie. Thanks for taking the time to put this together.

[Jamie]

Your welcome! Glad you like it.

[pdunton]

Attempting to convert to using the system described above for inserting local pages. Looks much cleaner than what I am currently doing.

Works fine on my localhost setup but I get an error message when setting up live.

"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/pdunton/public_html/origins.php:1) in /home/pdunton/public_html/squirrelcart/pre_common.php on line 177"

Need input.

Phil Dunton
Tucson

[Jamie]

Let's see if I can explain this. In order for PHP to start a session, it needs to be done PRIOR to it sending headers to your browser. If you try to start sessions after headers have been sent, you get that error.

Any output at all to the browser will trigger headers to be sent. This is usually caused by a blank space or line. Check that "origins.php" file for that, at line #1.

[pdunton]

Well, how about that.
Had a "Tab" at the start of each page which wasn't visible!

Works OK now, Jamie you're amazing.

Phil Dunton
Tucson

[Jamie]

Hi Phil,

Glad it's fixed.

[avarhirion]

question: the bestsellers box doesn't display on my custom pages, is there a reason for this?

[Jamie]

The best sellers nav block only appears on the home page by default. If you want it on all pages, remove the code in the Show When field on it's record in the control panel.

[RobC]

I followed the above tutorial instructions and now have http://mysite.com/test.php and other pages working perfectly in the main menu box.

A problem occurs when customers are automatically returned to my site from the Worldpay server after making their card payments. Upon return, the URLs in the main menu box no longer point to my site. This is what we get instead: https://select.worldpay.com/aequitas/test.php

Clicking the links in the main menu box of course brings 404 errors.

I'm not sure how to approach fixing this problem. Is it a problem with the Worldpay module, or a problem with the shortened URLs in the above tutorial?

Thanks in advance.

[Jamie]

A few gateways won't actually return the customer to your website. They have their server request your return page, and then they output the HTML returned from your site to the customer, while still leaving them on their website.

I don't remember if Worldpay does this or not. You can easily tell by looking at the URL in your browser when they "return" the customer to your site. If it isn't your URL, then they are one of these few gateways.

If that is what is going on here, you need to use full URLs for all links. Relative URLs will become relative to their server, not yours and will fail.

If that is what is happening, just change your links from "blah.php" to "http://www.example.com/blah.php" and it should fix the problem.

[RobC]

Worldpay is indeed one of those few gateways which keeps the customer on their site. I tried your suggestion of using full, rather than relative URLs, and it fixed the problem. And I keep the search engine friendly URLs. Jamie, you're a star.

[nwbach]

This is concerning creating a link to new content (part 1 and 2 at the top of this page). How would you get a link to this new content page into the left nav bar?

[welshandy]

Excellent post. Just what I was looking for.

Thanks J.