Jump to content

[SOLVED] Help against injection


the-hardy-kid

Recommended Posts

I am just playing around in my home server, trying to make a website that allows me to upload .txt files.

The problem is, I can inject html, php, anything into my page. How can i prevent this?

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Browsing <?php echo $_REQUEST['name']; ?></title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php require("header.txt") ?>
<div id="content" class="upload">
<?php
$name = "upload/" . $_REQUEST['name'];
if(file_exists($name))
{
require($name);
}
else
{
echo "Don't play with the url bar - file doesn't exist";
}
?>
<br><br>
<a href="upload_form.php">Upload</a>
</div>
</body>
</html>

Link to comment
https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/
Share on other sites

you could restrict uploads to just text files.

 

switch ($_FILES["uploaded"]["type"]) {

if ($_FILES["uploaded"]["type"] == "plain/text")
{
move_uploaded_file($_FILES["uploaded"]["tmp_name"],$target);
} else {
    $error[] = 'Wrong type selected. Only text files accepted!.';
}

That's not his problem, if I put some HTML within a text file, and use require to display it, it will still echo out onto his screen.

 

The same thing would happen if I were to ad some JavaScript code to it, I doubt any PHP would be able to be executed, but I haven't tried that before.

 

 

Whilst restricting  the input to a *.txt file is important, it doesn't solve the problem...

 

ILMV

Use this code instead of require();

 

$data = file_get_contents($name);
echo(htmlentities($data));

 

This will load the contents of the file into an variable, then you can apply htmlentities to it.

 

 

ILMV

 

Thank you very much. This definitely solved my problem.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.