p5y Posted August 28, 2014 Share Posted August 28, 2014 this doesnt work and ive spent ages trying to figure it out its the bit with else <?php //CORS header header("Access-Control-Allow-Origin: *"); //Capture parameter $create = $_POST['create']; $fuser = $_POST['fuser']; if (!file_exists("uploads/$fuser/$create")); { if ($f = fopen("uploads/$fuser/$create", 'w')) { fwrite($f, 1); fclose($f); echo 'OK'; } } else { $f = fopen("uploads/$fuser/$create", 'w') fwrite($f, 5); fclose($f); echo 'FAIL' ; } ?> this bit does work below, its until i try to do else if , or else <?php //CORS header header("Access-Control-Allow-Origin: *"); //Capture parameter $create = $_POST['create']; $fuser = $_POST['fuser']; if (!file_exists("uploads/$fuser/$create")); { if ($f = fopen("uploads/$fuser/$create", 'w')) { fwrite($f, 1); fclose($f); echo 'OK'; } } help Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/ Share on other sites More sharing options...
Ch0cu3r Posted August 28, 2014 Share Posted August 28, 2014 Try removing the semi-colon on this line if (!file_exists("uploads/$fuser/$create")); Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489217 Share on other sites More sharing options...
p5y Posted August 28, 2014 Author Share Posted August 28, 2014 thanks Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489218 Share on other sites More sharing options...
Jacques1 Posted August 28, 2014 Share Posted August 28, 2014 While you may have satisfied the PHP parser, the code still makes absolutely no sense. Do you realize that you let any visitor overwrite any file on your server as long as PHP as access to it? All they have to do is manipulate the file path through the POST parameters. They can leave the upload directory by injecting a “..” string through the fuser parameter, and then they can freely travel around on your server via the create parameter. This is a disaster. Never, I repeat, never insert raw user input into critical contexts like file paths. The Internet is not your living room where everybody is your friend and plays by your rules. When you give people the chance to screw up your application or your entire server, they may very well do that, if only for the “fun” of it. So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that. Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489223 Share on other sites More sharing options...
p5y Posted August 29, 2014 Author Share Posted August 29, 2014 So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that. the fuser bit is controlled from my android app that sends the request. What is this validation thing , or point me to some tutorial. bear in mind ive just started learning php 3 days ago to go with my gamemaker app Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489237 Share on other sites More sharing options...
cpd Posted August 29, 2014 Share Posted August 29, 2014 Validation isn't specific to php, it should be applied whenever user input is accepted. You're essentially verifying the user has entered valid content as opposed to content that could harm your service. Search "defensive code" or "data validation" in google, you'll get a load of stuff. Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489242 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.