Help me about $_REQUEST

CΛSTΞX · 02-21-2008, 05:30 PM

I have a file edit script. But I wan to get $loadcontent from a form and request the file name. So if user write a filename, the $loadcontent will use this.

How can I do it ?

PHP Code:


			
<?php 

$loadcontent = "info.php"; 

    if($save_file) { 

        $savecontent = stripslashes($savecontent); 

        $fp = @fopen($loadcontent, "w"); 

        if ($fp) { 

            fwrite($fp, $savecontent); 

            fclose($fp);

print '<a href='.$_SERVER[PHP_SELF].'>Refresh</a>'; 

print "<html><head><META http-equiv=\"refresh\" content=\"0;URL=$_SERVER[PHP_SELF]\"></head><body>"; 

 

} 

} 

    $fp = @fopen($loadcontent, "r"); 

        $loadcontent = fread($fp, filesize($loadcontent)); 

$lines = explode("\n", $loadcontent);

$count = count($lines);

        $loadcontent = htmlspecialchars($loadcontent); 

        fclose($fp); 

for ($a = 1; $a < $count+1; $a++) {

$line .= "$a\n";

}

?> 

<form method=post action="<?=$_SERVER[PHP_SELF]?>">    

<table width="900px" valign="top" border="0" cellspacing="1" cellpadding="1">

  <tr>

    <td width="3%" align="right" valign="top"><pre style="text-align: right; padding: 4px; overflow: auto; border: 0px groove; font-size: 12px" name="lines" cols="4" rows="<?=$count+3;?>"><?=$line;?></pre></td>

    <td width="900px" align="left" valign="top"><textarea style="text-align: left; padding: 0px; overflow: auto; border: 3px groove; font-size: 12px" name="savecontent" cols="100" rows="<?=$count;?>" wrap="OFF"><?=$loadcontent?></textarea></td>

  </tr>

</table>

 

<br> 

<input type="submit" name="save_file" value="Kaydet">    

</form>

SOCK · 02-21-2008, 08:18 PM

DISCLAIMER: Allowing the user to dictate the file to open / write / etc is dangerous. You do not want to do this.

I'd assume that you'd want to use a form input tag to allow the user to input a filename. Access it via the $_POST superglobal array, e.g.

PHP Code:


			
// assumes form input tag name is 'filename'

if ( !empty($_POST['filename']) ) {

  // make sure you validate input better than this!!

  $loadcontent= trim($_POST['filename']);

}

If you absolutely have to do this, which I recommend against, you should consider having a known list of filenames and a drop-down list for the user to select from, then test for these know filenames in the script upon input. That way they can't simply input a file on the server to manipulate.

Make sure you refer to $_SERVER[PHP_SELF] as $_SERVER['PHP_SELF'] or you'll get undefined constant errors (or at least you should if you have the proper error_reporting level set). Additionally, the use of $_SERVER['PHP_SELF'] has been shown to be vulnerable to XSS attacks, it's advised to hardcode the script name, or at least use htmlentities() to wrap PHP_SELF value.

One other important point - don't use $_REQUEST. Use either $_GET, $_POST or $_COOKIES depending on your data source.

CΛSTΞX · 02-21-2008, 08:28 PM

Thanks a lot, can you please give me the full code ?

SOCK · 02-22-2008, 12:57 AM

Uh, no. That example, paired with the PHP Manual should get you started.

CΛSTΞX · 02-22-2008, 02:53 AM

:D Probably, you are a teacher or sth. ?

I am getting errors when I am trying to do it.

CΛSTΞX · 02-23-2008, 02:20 AM

Ok, can someone explain what do these errors mean ??

Warning: fread(): supplied argument is not a valid stream resource in /usr/hosts/domains/propaket/bodrumlife_pro/www.********.net/httpdocs/Sayfaedit.php on line 15

Warning: fclose(): supplied argument is not a valid stream resource in /usr/hosts/domains/propaket/bodrumlife_pro/www.********.net/httpdocs/Sayfaedit.php on line 19

SOCK · 02-23-2008, 02:28 AM

Looks like you're either not passing a correct path to fread() or you've got one of the remote_files settings keeping you from reading that file / URL.

CΛSTΞX · 02-24-2008, 01:56 AM

Thanks a lot, I wrote these and the script goes right ;)

PHP Code:


			
if( empty($_POST["filename"]) )
{
$loadcontent = "";
echo "You didnt write anything.";
echo "<a href='javascript:history.back()'><div class=yazi>Back</div></a>"; 
exit;
}
else if (file_exists($_POST["urll"])) { 
$loadcontent = $_POST["urll"]; 
} else { 
echo "File doesnt exist."; 
echo "<a href='javascript:history.back()'><div class=yazi>Back</div></a>"; 
exit;
}

SOCK · 02-24-2008, 02:14 AM

Nice.

Don't forget, make sure you filter that properly so they can't just enter any file name and have it accessed.

Something like this using in_array() is the norm:

PHP Code:


			
$requestedFile= trim($_POST['url1']);



$allowedFileList= array(

  "file1.txt", "file2.txt", "file3.txt"

);



if ( in_array( $requestedFile, $allowedFileList ) 

 && is_file( $requestedFile ) ){



  // allow them access to the file



}

This of course, along with the regular filters and checking for an empty string, etc.