Jump to content

why is this code broken?


Go to solution Solved by Ch0cu3r,

Recommended Posts

this doesnt work and ive spent ages trying to figure it out

its the bit with else

<?php
  //CORS header
  header("Access-Control-Allow-Origin: *");


  //Capture parameter
  
  $create = $_POST['create'];
  $fuser = $_POST['fuser'];




 if (!file_exists("uploads/$fuser/$create"));
 {
 if ($f = fopen("uploads/$fuser/$create", 'w')) {
    fwrite($f, 1);
    fclose($f);
    echo 'OK';
     }


  }     
  else
{
  $f = fopen("uploads/$fuser/$create", 'w')
   fwrite($f, 5);
    fclose($f);
    echo 'FAIL' ;
}


 
?>

this bit does work below, its until i try to do else if , or else 

 

<?php
  //CORS header
  header("Access-Control-Allow-Origin: *");


  //Capture parameter
  
  $create = $_POST['create'];
  $fuser = $_POST['fuser'];




 if (!file_exists("uploads/$fuser/$create"));
 {
 if ($f = fopen("uploads/$fuser/$create", 'w')) {
    fwrite($f, 1);
    fclose($f);
    echo 'OK';
     }


  }

help :(

Edited by p5y
Link to comment
https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/
Share on other sites

While you may have satisfied the PHP parser, the code still makes absolutely no sense.

 

Do you realize that you let any visitor overwrite any file on your server as long as PHP as access to it? All they have to do is manipulate the file path through the POST parameters. They can leave the upload directory by injecting a “..” string through the fuser parameter, and then they can freely travel around on your server via the create parameter. This is a disaster.

 

Never, I repeat, never insert raw user input into critical contexts like file paths. The Internet is not your living room where everybody is your friend and plays by your rules. When you give people the chance to screw up your application or your entire server, they may very well do that, if only for the “fun” of it.

 

So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that.

So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that.

the fuser bit is controlled from my android app that sends the request.  What is this validation thing , or point me to some tutorial.  bear in mind ive just started learning php 3 days ago to go with my gamemaker app :)

Validation isn't specific to php, it should be applied whenever user input is accepted. You're essentially verifying the user has entered valid content as opposed to content that could harm your service.

 

Search "defensive code" or "data validation" in google, you'll get a load of stuff.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.