[SOLVED] Help against injection

[the-hardy-kid]

I am just playing around in my home server, trying to make a website that allows me to upload .txt files.

The problem is, I can inject html, php, anything into my page. How can i prevent this?

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Browsing <?php echo $_REQUEST['name']; ?></title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php require("header.txt") ?>
<div id="content" class="upload">
<?php
$name = "upload/" . $_REQUEST['name'];
if(file_exists($name))
{
require($name);
}
else
{
echo "Don't play with the url bar - file doesn't exist";
}
?>
<br><br>
<a href="upload_form.php">Upload</a>
</div>
</body>
</html>

[ILMV]

Use this code instead of require();

 

$data = file_get_contents($name);
echo(htmlentities($data));

 

This will load the contents of the file into an variable, then you can apply htmlentities to it.

 

 

ILMV

[nuttycoder]

you could restrict uploads to just text files.

 

switch ($_FILES["uploaded"]["type"]) {

if ($_FILES["uploaded"]["type"] == "plain/text")
{
move_uploaded_file($_FILES["uploaded"]["tmp_name"],$target);
} else {
    $error[] = 'Wrong type selected. Only text files accepted!.';
}

[ILMV]

That's not his problem, if I put some HTML within a text file, and use require to display it, it will still echo out onto his screen.

 

The same thing would happen if I were to ad some JavaScript code to it, I doubt any PHP would be able to be executed, but I haven't tried that before.

 

 

Whilst restricting  the input to a *.txt file is important, it doesn't solve the problem...

 

ILMV

[the-hardy-kid]

Use this code instead of require();

 

$data = file_get_contents($name);
echo(htmlentities($data));

 

This will load the contents of the file into an variable, then you can apply htmlentities to it.

 

 

ILMV

 

Thank you very much. This definitely solved my problem.