edit page

@bringerofnightNov 11.2005

Could someone please correct this PHP code i’ve looked it over several times and can’t find out what’s wrong with it?

[code=php] <?php if(empty($_GET[‘action’])){ ?>

<form action=”<?php echo $_SERVER[‘PHP_SELF’]; ?>?action=write” method=”post”> <textarea name=”contents” rows=”10″ cols=”60″> <?php

$fp=fopen(“$_POST[‘file’]”, “r”);

while (!feof($fp)){ $line=fgets($fp); print stripslashes(“$line”); }

fclose($fp);

?> </textarea><br/><br />

<input type=”submit” value=”Submit” /> </form>

<?php

}else{

$fp=fopen(“$_POST[‘file’]”, “w”); fputs($fp, $_REQUEST[‘contents’]);

if (fclose($fp)){ print “<h2>File successfully saved</h2>n”; }else{ print “<h2><font style=”color:red;”>There was a problem saving the file</font></h2>n”; }

print “<input type=”button” value=”Go Back” onClick=”window.location.href='”.$_SERVER[‘PHP_SELF’].”‘;” />”;

}

?><br><br>Your File<hr><?php include “$_POST[‘file’]”; ?> <html> <head> <title>Page Editer</title> </head> <body> <form action=”<? $PHP_SELF ?>”> <input type=”text” value=”file”> <input type=”submit” value=”submit”> </form> </body> </html> [/code]

to post a comment

PHP

10 Comments(s) _↴

@mitconNov 11.2005 — #To quote Dr. Evil...

"Will somebody throw me a frickin' bone here?!"

What error(s) are you seeing???

@bringerofnightauthorNov 11.2005 — #T_STRING error

@mitconNov 11.2005 — #I don't recognize the T_NAME error, but I have always had better luck with the first form of your PHP_SELF/form action line.

Try using your first version on the second line and see if that fixes anything. It would be better to be consistent in your usage anyway <g>...

I'm on my way out the door (from work) I'll check in when I get home in about an hour.

@bokehNov 11.2005 — #[I]

[code=php]$fp=fopen("$_POST['file']", "w");
 fputs($fp, $_REQUEST['contents']);[/code]

[/I]Blimey! So someone can choose a filename with $_POST and then can fill it with whatever [I]content[/I] they fancy. Don't you think there is a bit of a security flaw there?

@mitconNov 12.2005 — #You should also either be checking for the existence of the file or checking the status of the fopen() function. As written you don't know whether there wa a problem opening the files or not.

Now that I've looked at it closer, take the $_POST['file'] put of quotes, it is a variable of type string anyway.

Also, get rid of the $_REQUEST references. Retrieve the form variables using the appropriate array ($_GET, $_POST, $_COOKIE...), it's more secure.

I know that your original question was NOT security oriented, but, secure practices are essential. Remember the adage "All input is EVIL", at least until you have verified, filtered and escaped everything. Take heed of where Bokeh is coming from. I'm sure that we can give some pointers.

As usual, good eye Bokeh...

@bringerofnightauthorNov 13.2005 — #I rewrote it from scratch

[B]

form.htm

[/B]l

[code=html]
 <html>
 <head>
 <title>Page Editer</title>
 </head>
 <body>
 <form action="edit2.php">
 <input type="text" name="file">
 <input type="submit" value="submit">
 </form>
 </body>
 </html>
 [/code]

[B]edit2.php[/B]

[code=php]
 <?php
 if(empty($_GET['action'])){
 ?>
 
 <form action="<?php echo $_SERVER['PHP_SELF']; ?>?action=write" method="post">
 <textarea name="contents" rows="10" cols="60">
 <?php
 
 $fp=fopen($_POST['file'], "r"); 
 
 while (!feof($fp)){
 $line=fgets($fp);
 print stripslashes("$line");
 }
 
 fclose($fp);
 
 ?>
 </textarea><br/><br />
 
 
 <input type="submit" value="Submit" />
 </form>
 
 <?php
 
 }else{
 
 $fp=fopen($_POST['file'], "w");
 fputs($fp, $_REQUEST['contents']);
 
 
 if (fclose($fp)){
 print "<h2>File successfully saved</h2>n";
 }else{
 print "<h2><font style="color:red;">There was a problem saving the file</font></h2>n";
 }
 
 print "<input type="button" value="Go Back" onClick="window.location.href='".$_SERVER['PHP_SELF']."';" />";
 
 }
 
 ?>
 [/code]

Ok the form.html page works perfect but when i submit the edit2.php page just never loads could someone correct this error.

@bringerofnightauthorNov 16.2005 — #anyone there?

@bokehNov 16.2005 — #anyone there?[/QUOTE]Yes! But you are not listening. Please be advised that this:[I]

[code=php]$fp=fopen($_POST['file'], "w");
 fputs($fp, $_REQUEST['contents']);[/code]

[/I]is a major security issue. It allows anyone delete or overwrite any file on your server with any content they choose.

@SheldonNov 16.2005 — #you need correct syntax in your form for a start

[code=php]
 <html>
 <head>
 <title>Page Editer</title>
 </head>
 <body>
 <form action="edit2.php" enctype="multipart/form-data" method="post">
 <input type="text" name="file">
 <input type="submit" value="submit">
 </form>
 </body>
 </html> 
 [/code]

And please take note of what Bokeh is saying else you will greatly compromise your servers/sites security.

@mitconNov 17.2005 — #While you're at it take a long look at the 'File' input type and the associated $_FILES super global. I too will restress what Bokeh is saying...in addition to seriously looking at some of the other apparent, basic file system and security issues that you're overlooking.

Take a step back and think in black and white, like a computer. It will only do what you (or anyone else) tells it to do; no more and certainly no less.

Mitch

Also in #PHP _↴

Lotto number generator help [RESOLVED] Anonymous Recursion?[RESOLVED] Help with displaying query results

Success!

Help @bringerofnight spread the word by sharing this article on Twitter...

Tweet This

edit page

10 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

edit page

10 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

10 Comments(s) _↴

Also in #PHP _↴