Page 1 of 1

Help on a php script annoying "bug"

Posted: Wed Feb 11, 2004 3:23 pm
by josh
I'm currently makeing a page for someone and they need to be able to update their website via a web based interface... I have the bear bones of this web based interfece up and I was just wondering about 2 things first....


My update "who we are" or the main contents of index.php writes to file who.txt and index.php reads who.txt, when you request the php file for the we based updater it returns a form with a text box and a password box and a submit button. This text box for the main content automatically already contains the who.txt's contents so they can edit it rather then copy and paste and deal with html .......... when I request it, the html that has " <<< quotes in it is turned into /" or a slash and a quote. I am assumeing this is php's code for a quote, but when you request index.php and look at it, it has /" instead of " all over the place. This is no big deal but everytime they edit it it adds more slashes so now when i look at the source it has //////////////////////////////////" for every quote




SEcond of all is the form sends the request to update.php or who.php etc.... here is the source code of it:

<?
// Get the document root



// Set what will be written to file
$passwrd = $_REQUEST['passwrd'];
$outputstring = $_REQUEST['stringfile'];
//passwrd

if ($passwrd == "my_password_here"){


$filename = 'who.txt';
$outputstringtwo = file_get_contents($filename);

// Set file for opening
$fp = fopen("who.txt", 'w');



echo ("File main.txt has been opened<BR>");
$fo = $fp;

// Finally, write to file
fwrite($fp, $outputstring);
echo ("File main.txt has been written<BR>");

// Close the written file
fclose($fp);
echo ("File who.txt has been closed<BR>");
echo ("Done, check the file <a href=index.php>here</a><BR><BR>");
echo ("File who.txt has been chenged to:<BR>");
echo ($outputstring);
echo ("<P>from<P>");
echo ($outputstringtwo);


} else {
echo ("Incorrect pass");
}

?>







Is this part secure?
if ($passwrd == "my_password_here"){

Or can they view my php somehow because when I goto the php file normally in my browser it returns incorrect pass like I want it too.


Thanks in advanced for your help. Any suggestions or anything at all?


If I could just figure out how to do

replace (" //" " with " /" " );

or soemthing like that but im not sure what the command is to replace things

Posted: Wed Feb 11, 2004 3:32 pm
by DuFF
Yes that is secure. Remember that PHP is server-side, so all code is executed by the server before it goes to the client. There is no way a client can ever see the PHP code.

To get rid of the slashes do this:

Code: Select all

// Finally, write to file
$outputstring = stripslashes($outputstring);  //I added this line
fwrite($fp, $outputstring); 
echo ("File main.txt has been written<BR>");

thnx

Posted: Wed Feb 11, 2004 3:38 pm
by josh
Thanks alot