Loosing contents of variable

[Jiin]

Hello All, Thanks in advance!

Running php5 on Linux, server side.

 

My code  is supposed to:

1) Accept a variable from a previous clicked page via the RemoveProperty.php?propertyremove=thisfile.xml

2) Open and display the file to user, ensuring they REALLY want to delete the file

3) Delete the file

 

Steps 1 & 2 are working, as soon as I hit step 3 I loose the contents of the variable($_GET['propertyremove']) i.e. the file I want to remove and therefore cannot delete the file. Step 3 is activated, it just doesn't work.

 

I think it has something to do with $_SERVER['PHP_SELF'] reloading the page loosing the variable or my placement of <?php ?> tags. I am not sure, ANY help is greatly appreciated!

 

Problem Script:

--------------------------------------

<?php
//Including functions
include '../php_functions.php';

//file to remove is located in $_GET['propertyremove']
$file2remove = $_GET['propertyremove'];

if(isset($_GET['propertyremove']) && !isset($_POST['submit']))
{
//Ensure file exists
if (!is_file("$file2remove")) {
die("Error, $file2remove does not exist.");
}

//Open xml file we are removing and load into HTML form
$xml = simplexml_load_file("$file2remove");


echo "If YOU ARE YOU SURE you want to remove $file2remove then click \"remove\" <br /><br />";
?>

<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<?php
foreach($xml->children() as $child) {
        $xmltagname = $child->getName();
        echo $xmltagname . ": " . $child . "<br />";
        echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />";
        echo "<br /><br /><br />";
}
echo "<input type=\"submit\" name=\"submit\" value=\"submit\" />";
echo "</form>";
}



//If the form has already been submitted then remove XML file
elseif(isset($_POST['submit']))
{
//Rename  file
unlink($file2remove, $file2remove.back);
echo "<h1>You have removed $file2remove</h1>";
}
?>

[DavidAM]

If this page is on the internet, and you have no other code protecting what file is being removed, it will be VERY easy to erase your entire website once this script gets fixed.

 

I REPEAT:  THIS IS A DANGEROUS SCRIPT!!!!

 

The action in your form is using PHP_SELF, which does NOT include the GET variables that were passed in to the script.  You will have to add the querystring on the end of that to get the filename passed when the form is posted.

 

OR since you are POSTing the form, you could add a hidden field that contains the file name and then pull it from the POST array.

 

Note: your comment just before unlink() says Rename file, but unlink() deletes the file.

 

I REPEAT:  THIS IS A DANGEROUS SCRIPT!!!!

 

[Jiin]

Wow man, the RED is really bright!

 

Thanks for the warning and the $_POST stash.

 

I will upload working code.

[Jiin]

Well, I sort of rewrote the entire thing but it works. So now the code does the following:

1) Retrieves $_POST variables to determine if we are going to [upate] or [remove] a file

2) If [update] then allow open xml file into html form and allow user to edit, then re-submit

3) If [remove] then unlink file

 

Thank you for the tips. I employed a couple and am open to more.

Please set your phasers to stun not RED

 

<?php
session_start();
if ($_SESSION["login"] != "true"){
header("Location:login.php");
$_SESSION["error"] = "<font color=red>You don't have privileges to see the admin page.</font>";
exit;
}


//Including functions
include '../php_functions.php';

//Set file name we will be working with
$file2update = $_POST["file"];


if($_POST["choice"] == "Remove") {
unlink($file2update);
exit("Removed $file2update");
}


elseif($_POST["choice"] == "Update") {

//Ensure file exists
if (!is_file("$file2update")) {
die("Error, $file2update does not exist.");
}

//Open xml file we are updating and load into HTML form
$xml = simplexml_load_file("$file2update");


echo "Edit the information and click \"submit\" <br /><br />";
?>

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="POST">
<?php
foreach($xml->children() as $child) {
        $xmltagname = $child->getName();
        echo $xmltagname . ": " . $child . "<br />";
        echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />";
        echo "<br /><br /><br />";
}
echo "<input type=\"submit\" name=\"Update\" value=\"submit\" />";
echo "</form>";

}
?>

<?php
//If the form has already been submitted then send data to XML file
if(isset($_POST['Update']))
{
//HTML form data will be saved as XML file
//XML file will be named after HTML address field

//Convert spaces to underscores so we have no space in our file name
$newname = spaces2Underscore($_POST["address"]);


//Write new file
$newxmlfile = "$newname.xml";

//Open file for writing
$fp = fopen($newxmlfile, "w") or die("Unable to create: $newxmlfile");

//Write date from HTML form to XML file
fputs ($fp, "<property>\n");
foreach ($_POST as $key => $value) {
        $line ="<".$key.">".$value."</".$key.">\n";
        //echo $line;
        fputs($fp, "$line");
}
fputs ($fp, "</property>");

//Close file
fclose($fp);
echo "<h1>You have successfully updated $newxmlfile</h1>";
echo "<a href=\"index.php\">Return to Admin Panel</a>";
}

?>