the-hardy-kid Posted January 10, 2009 Share Posted January 10, 2009 I am just playing around in my home server, trying to make a website that allows me to upload .txt files. The problem is, I can inject html, php, anything into my page. How can i prevent this? <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Browsing <?php echo $_REQUEST['name']; ?></title> <link href="style.css" rel="stylesheet" type="text/css"> </head> <body> <?php require("header.txt") ?> <div id="content" class="upload"> <?php $name = "upload/" . $_REQUEST['name']; if(file_exists($name)) { require($name); } else { echo "Don't play with the url bar - file doesn't exist"; } ?> <br><br> <a href="upload_form.php">Upload</a> </div> </body> </html> Link to comment https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/ Share on other sites More sharing options...
ILMV Posted January 10, 2009 Share Posted January 10, 2009 Use this code instead of require(); $data = file_get_contents($name); echo(htmlentities($data)); This will load the contents of the file into an variable, then you can apply htmlentities to it. ILMV Link to comment https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/#findComment-733938 Share on other sites More sharing options...
nuttycoder Posted January 10, 2009 Share Posted January 10, 2009 you could restrict uploads to just text files. switch ($_FILES["uploaded"]["type"]) { if ($_FILES["uploaded"]["type"] == "plain/text") { move_uploaded_file($_FILES["uploaded"]["tmp_name"],$target); } else { $error[] = 'Wrong type selected. Only text files accepted!.'; } Link to comment https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/#findComment-733954 Share on other sites More sharing options...
ILMV Posted January 10, 2009 Share Posted January 10, 2009 That's not his problem, if I put some HTML within a text file, and use require to display it, it will still echo out onto his screen. The same thing would happen if I were to ad some JavaScript code to it, I doubt any PHP would be able to be executed, but I haven't tried that before. Whilst restricting the input to a *.txt file is important, it doesn't solve the problem... ILMV Link to comment https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/#findComment-734065 Share on other sites More sharing options...
the-hardy-kid Posted January 10, 2009 Author Share Posted January 10, 2009 Use this code instead of require(); $data = file_get_contents($name); echo(htmlentities($data)); This will load the contents of the file into an variable, then you can apply htmlentities to it. ILMV Thank you very much. This definitely solved my problem. Link to comment https://forums.phpfreaks.com/topic/140260-solved-help-against-injection/#findComment-734269 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.