PHP Seperation of duties

amsgwp · October 26, 2007

Ok so I can't figure out a way to fix this because of how the script was written to begin with.

Has anyone ever had a variable that is used for two different things at the same time? Let me try to explain...

I have a CMS system that is super basic. You include a script on your homepage where you want some editable content then when you have the correct cookie you click on a link on the homepage and it allows you to edit that spot on the page. Here is where the problem lies...

On the homepage when you click on the link to edit it sends something like edit.php?content=main_body

main_body tells the script which page you are editing...so in the edit.php I did a $_GET['content']

this then allows me to open the correct file and display it for editing. Well when the editing is done I need to submit form with the changes. Well I still need to send the same variable $content telling the script which file to be updating.

Well when you submit the form you have to do a $_POST['content'] to figure out which file to be updating(it is sent as a hidden form field).

Does anyone follow me at all?

here is the offending code

<?

include "config.inc.php";
include "$phpWebEd_language.inc.php";
include"spaw2/spaw.inc.php";
SpawConfig::setStaticConfigValue('default_height','420px');

$content = $_GET['content'];
$content = $_POST['content'];


if (!check_user()) {
echo "$no_auth_str\r\n";
exit;
}
if ($content == "") {
    echo "Access denied! \r\nWrong parameter count.\r\n";
    exit;
else {

}
$contentfile = $phpWebEd_dir . "/contents/" . $content . ".html";
if (is_file($contentfile)) {
    $status = "$content_modified_str<br>" . date("Y-m-d H:i:s", filemtime($contentfile));
} else {
    if ($fp = @fopen($contentfile, "w")) fclose($fp);
    else {
        echo "Error reading/writing file! \r\nPlease check the file permissions.\r\n";
        exit;
    }
}
if ($content != "" && isset($htmlsource)) {
    if ($edtype != "ax") {
        $is_tag = False;
        for ($i = 0; $i <= strlen($htmlsource); $i++) {
            if ($htmlsource[$i] == "<") $is_tag = True;
            if ($is_tag) $tmp .= $htmlsource[$i];
            else $tmp .= htmlentities($htmlsource[$i]);
            if ($htmlsource[$i] == ">") $is_tag = False;
        }
        $htmlsource = $tmp;
    }
    copy($contentfile, $contentfile . ".bak");
    $fp = fopen($contentfile, "w");
    if ($only_trusted_tags == 1) $htmlsource = strip_tags($htmlsource, $trusted_tags);
    fwrite($fp, stripslashes($htmlsource));
    if (fclose($fp)) {
        if ($edtype == "ax") echo "OK\r\n";
        else echo "<script language=\"JavaScript\">opener.location.reload();\n window.close();</script>";
    }
    exit;
}
if ($imagefile != "" && $imagefile_name != "") {
   set_time_limit(120);
   $new_imagefile = $phpWebEd_dir . "/contents/" . $imagefile_name;
   if (copy($imagefile, $new_imagefile)) echo "OK\r\n";
   exit;
}	
if ($deleteimage != "") {
   if (unlink($phpWebEd_dir . "/contents/" . $deleteimage)) echo "OK\r\n";
   exit;
}
?>
<html>
<head>
<? echo "<title>$content - $editor</title>";?>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script language="JavaScript">
<!--
function ok() {
   <? 
   if ($edtype == "ax") echo "axwebed.save();\n opener.location.reload();\n window.close();";
   else echo "document.editform.submit();";
   ?> 
}
function cancel() {
   <? 
   if ($edtype == "ax") echo "axwebed.close();\n window.close();";
   else echo "window.close();";
   ?>     
}
//-->
</script>
</head>

<body bgcolor="#DDDDDD" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<?
   if ($edtype == "ax") {
    ?>
      <object classid="clsid:CCD2FBFF-41DA-4E94-9F66-847DD44A6B58" width="100%" height="100%" align="center" name="axwebed">
        <p>If you can read this, <a href="http://www.m-tecs.net/axwebed/" target="_blank">axWebEd</a>
        is not installed on your computer or your browser doesn't support ActiveX controls.</p>
      </object> 
      <script VBScript>
       axwebed.params(<? echo "'$phpWebEd_url', '$content', '$auth'";?>);
       <? if ($axWebEd_options != "") echo "axwebed.options('$axWebEd_options');";?>
       axwebed.load();
      </script>
<?
}
else {
    ?>      
<form name="editform" method="post" action="<? echo $_SERVER['PHP_SELF']; ?>" >
       <?
	  
	  if (!($fp = @fopen($contentfile, "r"))) echo "Error reading file";
	  else {
		$htmlsource = fread($fp, filesize($contentfile));
		fclose($fp);
		$htmlsource = new SpawEditor("htmlsource", $htmlsource);
		$htmlsource->show();
	  }
          ?>
	  <input type="hidden" name="content2" value="<? echo $_GET['content']; ?>">      
    </form>
<table width="0%" border="0">
  <tr>
    <td>Save: </td>
    <td><a href="javascript:ok();"><img src="images/ok.gif" width="40" height="40" border="0"></a></td>
    <td>Cancel: </td>
    <td><a href="javascript:cancel();"><img src="images/cancel.gif" width="40" height="40" border="0"></a></td>
  </tr>
</table>
<?
}
?>  
    </td>
  </tr>
  <tr>
    <td valign="bottom" bgcolor="#666666"><font size="1" face="Arial, Helvetica, sans-serif" color="#DDDDDD"><? echo $status;?></font></td>
  </tr>
</table>
</body>
</html>

Sign In

PHP Seperation of duties

Recommended Posts

amsgwp

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information