p5y Posted August 28, 2014 Share Posted August 28, 2014 (edited) this doesnt work and ive spent ages trying to figure it out its the bit with else <?php //CORS header header("Access-Control-Allow-Origin: *"); //Capture parameter $create = $_POST['create']; $fuser = $_POST['fuser']; if (!file_exists("uploads/$fuser/$create")); { if ($f = fopen("uploads/$fuser/$create", 'w')) { fwrite($f, 1); fclose($f); echo 'OK'; } } else { $f = fopen("uploads/$fuser/$create", 'w') fwrite($f, 5); fclose($f); echo 'FAIL' ; } ?> this bit does work below, its until i try to do else if , or else <?php //CORS header header("Access-Control-Allow-Origin: *"); //Capture parameter $create = $_POST['create']; $fuser = $_POST['fuser']; if (!file_exists("uploads/$fuser/$create")); { if ($f = fopen("uploads/$fuser/$create", 'w')) { fwrite($f, 1); fclose($f); echo 'OK'; } } help Edited August 28, 2014 by p5y Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/ Share on other sites More sharing options...
Solution Ch0cu3r Posted August 28, 2014 Solution Share Posted August 28, 2014 Try removing the semi-colon on this line if (!file_exists("uploads/$fuser/$create")); Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489217 Share on other sites More sharing options...
p5y Posted August 28, 2014 Author Share Posted August 28, 2014 thanks Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489218 Share on other sites More sharing options...
Jacques1 Posted August 28, 2014 Share Posted August 28, 2014 While you may have satisfied the PHP parser, the code still makes absolutely no sense. Do you realize that you let any visitor overwrite any file on your server as long as PHP as access to it? All they have to do is manipulate the file path through the POST parameters. They can leave the upload directory by injecting a “..” string through the fuser parameter, and then they can freely travel around on your server via the create parameter. This is a disaster. Never, I repeat, never insert raw user input into critical contexts like file paths. The Internet is not your living room where everybody is your friend and plays by your rules. When you give people the chance to screw up your application or your entire server, they may very well do that, if only for the “fun” of it. So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that. Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489223 Share on other sites More sharing options...
p5y Posted August 29, 2014 Author Share Posted August 29, 2014 So please think before you write code. If you want fname and create to be simple alphernumerical strings, you need to actually validate that. the fuser bit is controlled from my android app that sends the request. What is this validation thing , or point me to some tutorial. bear in mind ive just started learning php 3 days ago to go with my gamemaker app Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489237 Share on other sites More sharing options...
cpd Posted August 29, 2014 Share Posted August 29, 2014 Validation isn't specific to php, it should be applied whenever user input is accepted. You're essentially verifying the user has entered valid content as opposed to content that could harm your service. Search "defensive code" or "data validation" in google, you'll get a load of stuff. Quote Link to comment https://forums.phpfreaks.com/topic/290715-why-is-this-code-broken/#findComment-1489242 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.