[Coco] OT -- PHP code help needed.
Dave Kelly
daveekelly at earthlink.net
Mon Sep 18 00:40:36 EDT 2006
William Astle wrote:
> As has already been stated, PHP is case sensitive. In fact, unless you
> know specifically elsewise, you should always assume case sensitivity;
> then you don't run into this type of issue. And all the "superglobals"
> in PHP are upper case ($_GET, $_POST, etc)
>
>
I knew that! About the case sensitivity. I am clueless how that got
past me. In the other modules everything is that should be UC is UC.
>
That said, the above code is absolutely stupid from the security
> perspective. I hope that was just a pared down example for the sake of
> asking the question since it would allow me to do something like:
>
> file.php?var2=/etc/passwd
>
> for example. Or include any other file accessible by PHP.
>
> Of course, if you're doing this in a totally trustworthy environment,
> you might get away with it.
>
>
When all is working as it should, I will put this behind a user name,
pass word protected directory on the server. The only people with
access this will be members of the fly fishing club.
As soon as I got $_get changed to $_GET, that part worked as I should.
Next problem.
This line:
<form action="form.php?var3=$_GET["var1"]" method="GET">
calls:
form.php
<?php
if($_GET["op"] == "ds") {
foreach ($_GET["name"] as $key=>$value) {
$fp=fopen("$_GET["var3"]","a");
fwrite($fp,$_GET["name"][$key] ." ".
$_GET["email"][$key] ." ". $_GET["phone"][$key]
." ". $_GET["id"][$key]);
fclose($fp);
}
}
?>
and produces this error.
Parse error: parse error, unexpected '\"', expecting T_STRING or
T_VARIABLE or T_NUM_STRING in
/var/www/vhosts/texasflyfishers.org/httpdocs/form.php on line 4
I didn't cross my t's or dot my i. ??
--
The trouble with trouble is it starts out as fun.
More information about the Coco
mailing list