FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Problem with a basic form





tchaunt
I have put together the code below to allow visitors to my site to submit their own articles for me to review. Sadly, the code refuses to create the new file. Can anyone please tell me what I'm doing wrong?

http://pastebin.com/f4046c426

I appreciate any help that you provide.
AftershockVibe
Have you ensured that you have enabled group write priveleges for the folder you are creating the file in?
(i.e. chmod permissions to 766 via FTP or DirectAdmin)
Fire Boar
Be careful about allowing users to create files on your web server. A database-based solution tends to be far more robust overall.
rickylau
Fire Boar wrote:
Be careful about allowing users to create files on your web server. A database-based solution tends to be far more robust overall.
Yeah that's right. Glad that no file have been written in your server since I've found vulnerability in the source code, which visitors may post an "article" which is executable in PHP.

- Firstly, the file name of the visitors-submitted articles is named <A formatted date>.php
- The "<" and ">" in the content will be filtered (content only)

Seems that it is impossible for visitors to inject any code inside their contents. However, the other fields do not have same process, therefore the visitors are still able to inject scripts into their article and the code can be executed since it is a PHP file. As what Fire Boar said, storing data with database AND CAREFUL PROCEDURE will be more secure.
Marcuzzo
rickylau wrote:
Fire Boar wrote:
Be careful about allowing users to create files on your web server. A database-based solution tends to be far more robust overall.
Yeah that's right. Glad that no file have been written in your server since I've found vulnerability in the source code, which visitors may post an "article" which is executable in PHP.

- Firstly, the file name of the visitors-submitted articles is named <A formatted date>.php
- The "<" and ">" in the content will be filtered (content only)

Seems that it is impossible for visitors to inject any code inside their contents. However, the other fields do not have same process, therefore the visitors are still able to inject scripts into their article and the code can be executed since it is a PHP file. As what Fire Boar said, storing data with database AND CAREFUL PROCEDURE will be more secure.


as rickylaumentioned.
I would replace the < and the > for all fields because users could inject php code instead of a name, email or even title.
Related topics
PHP: Feedback form issues.. help =P
Free Ipods!?!?
science vs. religion
which come before egg or chiken?
Abortion: Yes or No?
ODBC and PHP connections
My New Site Layout... It sucks! Or does it...
Why the english language is so hard to learn
why did "god" create "satan"
Philosophy Essays & Philosophy Texts
Is it posible to make skins in visual basic 6
Intelligent Design - Science or Religion?
IE6 don't pass value on submiting an image type input tag. W
Problem with form
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.