why does this simple counter fail?
Ryan Coleman
editor at d3photography.com
Wed Mar 23 17:18:02 UTC 2011
On Mar 23, 2011, at 12:14 PM, Paul Macdonald wrote:
> On 23/03/2011 16:45, Gary Kline wrote:
>> Guys,
>>
>> Can any of you php hackers tell me why this simple self-hacked
>> counter bomb?
>>
>> appended.
>>
>> tia.
> $file doesn't look to be set anywhere
>
> if its a web script ( as opposed to cmd line cli) tyhen its probably passed as a POST or GET variable.,
>
> register_globals needs to be on for this variable to be auto set,
>
> if the form is submitted via POST, change script to:
>
> $directory="./countdir/";
> $file=$_POST['file'];
> ....
>
> if the form is submitted via GET (you'd see the file=variable in the address bar), change script to:
>
> $directory="./countdir/";
> $file=$_GET['file'];
> ....
>
> Of course you want to sanitise this $file variable so that it can't be hacked.
Additionally you could do:
$file = $_SERVER['PHP_SELF'];
Which will tie the filename to the actual PHP file.
But you might want to do something like...
$file = urlencode($_SERVER['REQUEST_URI']).".txt";
to make it the full url, safe vars for file names and add .txt to make it readable in other things not FreeBSD.
More information about the freebsd-questions
mailing list