Jiin Posted May 16, 2010 Share Posted May 16, 2010 Hello All, Thanks in advance! Running php5 on Linux, server side. My code is supposed to: 1) Accept a variable from a previous clicked page via the RemoveProperty.php?propertyremove=thisfile.xml 2) Open and display the file to user, ensuring they REALLY want to delete the file 3) Delete the file Steps 1 & 2 are working, as soon as I hit step 3 I loose the contents of the variable($_GET['propertyremove']) i.e. the file I want to remove and therefore cannot delete the file. Step 3 is activated, it just doesn't work. I think it has something to do with $_SERVER['PHP_SELF'] reloading the page loosing the variable or my placement of <?php ?> tags. I am not sure, ANY help is greatly appreciated! Problem Script: -------------------------------------- <?php //Including functions include '../php_functions.php'; //file to remove is located in $_GET['propertyremove'] $file2remove = $_GET['propertyremove']; if(isset($_GET['propertyremove']) && !isset($_POST['submit'])) { //Ensure file exists if (!is_file("$file2remove")) { die("Error, $file2remove does not exist."); } //Open xml file we are removing and load into HTML form $xml = simplexml_load_file("$file2remove"); echo "If YOU ARE YOU SURE you want to remove $file2remove then click \"remove\" <br /><br />"; ?> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST"> <?php foreach($xml->children() as $child) { $xmltagname = $child->getName(); echo $xmltagname . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />"; echo "<br /><br /><br />"; } echo "<input type=\"submit\" name=\"submit\" value=\"submit\" />"; echo "</form>"; } //If the form has already been submitted then remove XML file elseif(isset($_POST['submit'])) { //Rename file unlink($file2remove, $file2remove.back); echo "<h1>You have removed $file2remove</h1>"; } ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 16, 2010 Share Posted May 16, 2010 If this page is on the internet, and you have no other code protecting what file is being removed, it will be VERY easy to erase your entire website once this script gets fixed. I REPEAT: THIS IS A DANGEROUS SCRIPT!!!! The action in your form is using PHP_SELF, which does NOT include the GET variables that were passed in to the script. You will have to add the querystring on the end of that to get the filename passed when the form is posted. OR since you are POSTing the form, you could add a hidden field that contains the file name and then pull it from the POST array. Note: your comment just before unlink() says Rename file, but unlink() deletes the file. I REPEAT: THIS IS A DANGEROUS SCRIPT!!!! Quote Link to comment Share on other sites More sharing options...
Jiin Posted May 16, 2010 Author Share Posted May 16, 2010 Wow man, the RED is really bright! Thanks for the warning and the $_POST stash. I will upload working code. Quote Link to comment Share on other sites More sharing options...
Jiin Posted May 17, 2010 Author Share Posted May 17, 2010 Well, I sort of rewrote the entire thing but it works. So now the code does the following: 1) Retrieves $_POST variables to determine if we are going to [upate] or [remove] a file 2) If [update] then allow open xml file into html form and allow user to edit, then re-submit 3) If [remove] then unlink file Thank you for the tips. I employed a couple and am open to more. Please set your phasers to stun not RED <?php session_start(); if ($_SESSION["login"] != "true"){ header("Location:login.php"); $_SESSION["error"] = "<font color=red>You don't have privileges to see the admin page.</font>"; exit; } //Including functions include '../php_functions.php'; //Set file name we will be working with $file2update = $_POST["file"]; if($_POST["choice"] == "Remove") { unlink($file2update); exit("Removed $file2update"); } elseif($_POST["choice"] == "Update") { //Ensure file exists if (!is_file("$file2update")) { die("Error, $file2update does not exist."); } //Open xml file we are updating and load into HTML form $xml = simplexml_load_file("$file2update"); echo "Edit the information and click \"submit\" <br /><br />"; ?> <form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="POST"> <?php foreach($xml->children() as $child) { $xmltagname = $child->getName(); echo $xmltagname . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />"; echo "<br /><br /><br />"; } echo "<input type=\"submit\" name=\"Update\" value=\"submit\" />"; echo "</form>"; } ?> <?php //If the form has already been submitted then send data to XML file if(isset($_POST['Update'])) { //HTML form data will be saved as XML file //XML file will be named after HTML address field //Convert spaces to underscores so we have no space in our file name $newname = spaces2Underscore($_POST["address"]); //Write new file $newxmlfile = "$newname.xml"; //Open file for writing $fp = fopen($newxmlfile, "w") or die("Unable to create: $newxmlfile"); //Write date from HTML form to XML file fputs ($fp, "<property>\n"); foreach ($_POST as $key => $value) { $line ="<".$key.">".$value."</".$key.">\n"; //echo $line; fputs($fp, "$line"); } fputs ($fp, "</property>"); //Close file fclose($fp); echo "<h1>You have successfully updated $newxmlfile</h1>"; echo "<a href=\"index.php\">Return to Admin Panel</a>"; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.